Subject: Re: login leaks information w/ skeys
To: Martin J. Laubach <mjl@nospam.office.emsi.priv.at>
From: Hubert Feyrer <feyrer@rfhs8012.fh-regensburg.de>
List: tech-security
Date: 07/28/2000 02:12:17
  by mail.netbsd.org with SMTP; 28 Jul 2000 00:11:57 -0000
	by rfhs8012.fh-regensburg.de (8.10.1/8.10.1) with ESMTP id e6S0BI309860;
	Fri, 28 Jul 2000 02:11:19 +0200 (MET DST)
Date: Fri, 28 Jul 2000 02:12:17 +0200 (MET DST)
From: Hubert Feyrer <feyrer@rfhs8012.fh-regensburg.de>
Reply-To: hubert.feyrer@informatik.fh-regensburg.de
To: "Martin J. Laubach" <mjl@nospam.office.emsi.priv.at>
cc: tech-security@netbsd.org
Subject: Re: login leaks information w/ skeys
In-Reply-To: <964730751.507513@maschndrohtzaun.emsi.priv.at>
Message-ID: <Pine.GSO.4.10.10007280209350.11355-100000@rfhpc8320.fh-regensburg.de>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

On 27 Jul 2000, Martin J. Laubach wrote:
>   Our login process leaks information:

Here's another one:

NetBSD/sparc64 (delphi) (console)

login: -foo
user names may not start with '-'.
NetBSD/sparc64 (delphi) (console)

login: +bar
Jul 27 11:40:01 delphi login: Device not configured when initializing
Kerberos context
Password:

This is *not* specific to that machine's port, I've also tried it on
1.5_ALPHA/i386. The reason why '-' is special-cased is probably NIS
handling (I have 'passwd: files' in /etc/nsswitch.conf, not compat). 


 - Hubert

-- 
NetBSD - because Unix isn't just #include <linux.h>, i386, ILP32, ELF, ...!