Subject: login/ftpd username probing via s/key
To: None <tech-security@NetBSD.ORG>
From: Mike Long <mikel@shore.net>
List: tech-security
Date: 06/25/1997 13:28:39
Recently the change below was made to /bin/login:
----------------------------------------------------------------------
lukem
Tue Jun 24 17:15:07 PDT 1997
Update of /cvsroot/src/usr.bin/login
In directory netbsd1:/var/slash-tmp/cvs-serv29025
Modified Files:
login.1 login.c
Log Message:
Apply [bin/3270] from Simon J. Gerraty <sjg@quick.com.au>, with fixes by me:
* if the user has an s/key, provide a reminder in the password prompt
* if '-s' is given once, force a user that has an s/key to use it
* if '-s' is given more than once, only permit s/key logins
----------------------------------------------------------------------
What I'm wondering is if the s/key reminder in the prompt may be used
to probe for valid usernames. Isn't this a security hole, and if so,
how bad is it? When I mentioned my concern to Luke, he mentioned that
ftpd had similar code.
I think the password prompt should be enabled only if another option
(-S? -c? other suggestions?) is given.
--
Mike Long <mikel@shore.net> http://www.shore.net/~mikel
"Every normal man must be tempted at times to spit on his hands,
hoist the black flag, and begin slitting throats." -- H.L. Mencken