Recently the change below was made to /bin/login:

----------------------------------------------------------------------
lukem
Tue Jun 24 17:15:07 PDT 1997
Update of /cvsroot/src/usr.bin/login
In directory netbsd1:/var/slash-tmp/cvs-serv29025

Modified Files:
	login.1 login.c 
Log Message:
Apply [bin/3270] from Simon J. Gerraty <sjg@quick.com.au>, with fixes by me:
* if the user has an s/key, provide a reminder in the password prompt
* if '-s' is given once, force a user that has an s/key to use it
* if '-s' is given more than once, only permit s/key logins
----------------------------------------------------------------------

What I'm wondering is if the s/key reminder in the prompt may be used
to probe for valid usernames.  Isn't this a security hole, and if so,
how bad is it?  When I mentioned my concern to Luke, he mentioned that
ftpd had similar code.

I think the password prompt should be enabled only if another option
(-S? -c? other suggestions?) is given.
-- 
Mike Long <mikel@shore.net>                http://www.shore.net/~mikel
"Every normal man must be tempted at times to spit on his hands,
hoist the black flag, and begin slitting throats." -- H.L. Mencken