Hi,

lets move this thread to tech-security now, which i'm doing with this mail.
Please only reply to tech-security and not current-users or me too.

For the readers on tech-security which didn't saw it on current-users:

Please read http://www.netbsd.org/cgi-bin/query-pr-single.pl?number=30923
for more information what this pr wants:

: >Description:
: I've enabled telnet without authentication in inetd.conf
: Then telnetted to the machine.
: When trying to log in as root and entering a correct or wrong password, I'm getting two different Error Messages instead of the same.

This pr is about -current. 2.x needs also be fixed, but in a different way,
because it doesn't use pam. Zafer Aydogan opend another pr for 2.x: lib/31059.

On Sat, Aug 27, 2005 at 03:05:45AM +0100, Rui Paulo wrote:
> On 2005.08.26 11:44:27 +0000, Bill Studenmund wrote:
> | On Fri, Aug 26, 2005 at 07:46:44PM +0100, Rui Paulo wrote:
> | > On 2005.08.26 10:24:31 +0000, Bill Studenmund wrote:
> | > | On Thu, Aug 25, 2005 at 01:26:29PM +0100, Rui Paulo wrote:
> | > | > 
> | > | > This is not a security issue from my POV. What I want is an option to
> | > | > change the behaviour. That's all.
> | > | 
> | > | It is. It means that you can remotely attempt to crack the root password 
> | > | by throwing a dictionary attack at login; the different messages will 
> | > | indicate when you got the right password.
> | > 
> | > I was refering to the "root login not allowed on this terminal" messages.
> | 
> | As am I. As is Zafer.
> | 
> | They leak security information. And that is bad.
> | 
> | Say I am a remote attacker trying to log in directly as root. I'm logging 
> | in via an insecure terminal, so I have no chance of actually getting in. 
> | And yes, there will be "root login attempt" messages & such in the local 
> | logs.
> | 
> | However, and this is the sticky point, I, as a remote attacker, will get
> | one message thrown at me if I get the password right and a different
> | message thrown at me if I get it wrong. So even though I didn't get in
> | (and had no chance of getting in), I know if I got the root password
> | right. Thus I can use a remote dictionary attack to figure out the root
> | password; I just keep going until I get a different reject message.
> | 
> | There are a number of ways of fixing this.
> | 
> | Probably the best is to consolidate them, and make one "You can't get in 
> | because either this terminal is insecure or you typed in the wrong 
> | password" message. I know there was a patch mentioned in this thread, it 
> | should get added to the PR. I don't know if that's what the patch does...
> 
> I don't object to such a change, of course, but I was wondering if we could
> add a variable (to login.conf maybe?) that defines the behaviour the system
> administrator wants.
> 
> Wether to enable or disable that variable by default, should be discussed
> on tech-security, I suppose.

Such a change has to be enabled by default.

It should be implented asap and a login.conf change can come later, if
we even want such an switch, which I personally don't want.

> But anyway, if this is something problmatic for most systems we should
> print a "Login failed" message then. Nowdays most people are using SSH for
> authentication and they don't suffer this problem.

It doesn't matter if they use SSH or something else, here we are talking about
telnet and this needs to be fixed.

Bernd