Subject: Re: PRs 30923 and 31059
To: None <>
From: Gavan Fantom <>
List: tech-security
Date: 02/10/2006 19:12:36
Bernd Ernesti wrote:

> IMHO we should change the code and the message in the case of a uid 0 login too.
> 	Login incorrect or refused on this terminal.

Printing a different message here allows any network user, without 
authentication, to query whether a user has uid 0 or not.

Would it not be better to output "Login incorrect", and then log the 
failure reason?

Gillette - the best a man can forget