Subject: Re: login too verbose during failed login
To: Rui Paulo <rpaulo@NetBSD.org>
From: Elad Efrat <elad@NetBSD.org>
List: tech-security
Date: 08/27/2005 14:20:32
Rui Paulo wrote:

> Like I said before.. I don't object. I just wanted a parameter.

Why? Is there a reason to provide different messages on login failures?

This issue of telling what the real error was based on either the output
message or even the time it takes for the message to appear has been
discussed a long time ago. The conclusion was that it's a security flaw
if you can tell what the error was, since it helps you refine your
attack.

-e.

-- 
Elad Efrat
PGP Key ID: 0x666EB914