Subject: Re: login too verbose during failed login (was: lib/30923)
To: None <tech-security@NetBSD.org>
From: Rui Paulo <rpaulo@NetBSD.org>
Date: 08/27/2005 11:58:32
Content-Type: text/plain; charset=us-ascii
On 2005.08.27 07:08:47 +0000, Bernd Ernesti wrote:
| lets move this thread to tech-security now, which i'm doing with this mai=
| Please only reply to tech-security and not current-users or me too.
| For the readers on tech-security which didn't saw it on current-users:
| Please read http://www.netbsd.org/cgi-bin/query-pr-single.pl?number=3D309=
| for more information what this pr wants:
| : >Description:
| : I've enabled telnet without authentication in inetd.conf
| : Then telnetted to the machine.
| : When trying to log in as root and entering a correct or wrong password,=
I'm getting two different Error Messages instead of the same.
| This pr is about -current. 2.x needs also be fixed, but in a different wa=
| because it doesn't use pam. Zafer Aydogan opend another pr for 2.x: lib/3=
| On Sat, Aug 27, 2005 at 03:05:45AM +0100, Rui Paulo wrote:
| > On 2005.08.26 11:44:27 +0000, Bill Studenmund wrote:
| > | On Fri, Aug 26, 2005 at 07:46:44PM +0100, Rui Paulo wrote:
| > | > On 2005.08.26 10:24:31 +0000, Bill Studenmund wrote:
| > | > | On Thu, Aug 25, 2005 at 01:26:29PM +0100, Rui Paulo wrote:
| > | > | >=20
| > | > | > This is not a security issue from my POV. What I want is an opt=
| > | > | > change the behaviour. That's all.
| > | > |=20
| > | > | It is. It means that you can remotely attempt to crack the root p=
| > | > | by throwing a dictionary attack at login; the different messages =
| > | > | indicate when you got the right password.
| > | >=20
| > | > I was refering to the "root login not allowed on this terminal" mes=
| > |=20
| > | As am I. As is Zafer.
| > |=20
| > | They leak security information. And that is bad.
| > |=20
| > | Say I am a remote attacker trying to log in directly as root. I'm log=
| > | in via an insecure terminal, so I have no chance of actually getting =
| > | And yes, there will be "root login attempt" messages & such in the lo=
| > | logs.
| > |=20
| > | However, and this is the sticky point, I, as a remote attacker, will =
| > | one message thrown at me if I get the password right and a different
| > | message thrown at me if I get it wrong. So even though I didn't get in
| > | (and had no chance of getting in), I know if I got the root password
| > | right. Thus I can use a remote dictionary attack to figure out the ro=
| > | password; I just keep going until I get a different reject message.
| > |=20
| > | There are a number of ways of fixing this.
| > |=20
| > | Probably the best is to consolidate them, and make one "You can't get=
| > | because either this terminal is insecure or you typed in the wrong=20
| > | password" message. I know there was a patch mentioned in this thread,=
| > | should get added to the PR. I don't know if that's what the patch doe=
| > I don't object to such a change, of course, but I was wondering if we c=
| > add a variable (to login.conf maybe?) that defines the behaviour the sy=
| > administrator wants.
| > Wether to enable or disable that variable by default, should be discuss=
| > on tech-security, I suppose.
| Such a change has to be enabled by default.
| It should be implented asap and a login.conf change can come later, if
| we even want such an switch, which I personally don't want.
| > But anyway, if this is something problmatic for most systems we should
| > print a "Login failed" message then. Nowdays most people are using SSH =
| > authentication and they don't suffer this problem.
| It doesn't matter if they use SSH or something else, here we are talking =
| telnet and this needs to be fixed.
Like I said before.. I don't object. I just wanted a parameter.
Since I'm the only one "against" (in a certain manner) and unless someone
on tech-security@ comes up with some new objection, please commit the change
and request a 2.1 pullup (you or anyone who wants to take over the PRs).
-- Rui Paulo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (NetBSD)
-----END PGP SIGNATURE-----