tech-security: Re: login too verbose during failed login (was: lib/30923)

Subject: Re: login too verbose during failed login (was: lib/30923)
To: None <tech-security@NetBSD.org>
From: Rui Paulo <rpaulo@NetBSD.org>
List: tech-security
Date: 08/27/2005 11:58:32
--JgQwtEuHJzHdouWu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2005.08.27 07:08:47 +0000, Bernd Ernesti wrote:
| Hi,
|=20
| lets move this thread to tech-security now, which i'm doing with this mai=
l.
| Please only reply to tech-security and not current-users or me too.
|=20
| For the readers on tech-security which didn't saw it on current-users:
|=20
| Please read http://www.netbsd.org/cgi-bin/query-pr-single.pl?number=3D309=
23
| for more information what this pr wants:
|=20
| : >Description:
| : I've enabled telnet without authentication in inetd.conf
| : Then telnetted to the machine.
| : When trying to log in as root and entering a correct or wrong password,=
 I'm getting two different Error Messages instead of the same.
|=20
| This pr is about -current. 2.x needs also be fixed, but in a different wa=
y,
| because it doesn't use pam. Zafer Aydogan opend another pr for 2.x: lib/3=
1059.
|=20
| On Sat, Aug 27, 2005 at 03:05:45AM +0100, Rui Paulo wrote:
| > On 2005.08.26 11:44:27 +0000, Bill Studenmund wrote:
| > | On Fri, Aug 26, 2005 at 07:46:44PM +0100, Rui Paulo wrote:
| > | > On 2005.08.26 10:24:31 +0000, Bill Studenmund wrote:
| > | > | On Thu, Aug 25, 2005 at 01:26:29PM +0100, Rui Paulo wrote:
| > | > | >=20
| > | > | > This is not a security issue from my POV. What I want is an opt=
ion to
| > | > | > change the behaviour. That's all.
| > | > |=20
| > | > | It is. It means that you can remotely attempt to crack the root p=
assword=20
| > | > | by throwing a dictionary attack at login; the different messages =
will=20
| > | > | indicate when you got the right password.
| > | >=20
| > | > I was refering to the "root login not allowed on this terminal" mes=
sages.
| > |=20
| > | As am I. As is Zafer.
| > |=20
| > | They leak security information. And that is bad.
| > |=20
| > | Say I am a remote attacker trying to log in directly as root. I'm log=
ging=20
| > | in via an insecure terminal, so I have no chance of actually getting =
in.=20
| > | And yes, there will be "root login attempt" messages & such in the lo=
cal=20
| > | logs.
| > |=20
| > | However, and this is the sticky point, I, as a remote attacker, will =
get
| > | one message thrown at me if I get the password right and a different
| > | message thrown at me if I get it wrong. So even though I didn't get in
| > | (and had no chance of getting in), I know if I got the root password
| > | right. Thus I can use a remote dictionary attack to figure out the ro=
ot
| > | password; I just keep going until I get a different reject message.
| > |=20
| > | There are a number of ways of fixing this.
| > |=20
| > | Probably the best is to consolidate them, and make one "You can't get=
 in=20
| > | because either this terminal is insecure or you typed in the wrong=20
| > | password" message. I know there was a patch mentioned in this thread,=
 it=20
| > | should get added to the PR. I don't know if that's what the patch doe=
s...
| >=20
| > I don't object to such a change, of course, but I was wondering if we c=
ould
| > add a variable (to login.conf maybe?) that defines the behaviour the sy=
stem
| > administrator wants.
| >=20
| > Wether to enable or disable that variable by default, should be discuss=
ed
| > on tech-security, I suppose.
|=20
| Such a change has to be enabled by default.
|=20
| It should be implented asap and a login.conf change can come later, if
| we even want such an switch, which I personally don't want.
|=20
| > But anyway, if this is something problmatic for most systems we should
| > print a "Login failed" message then. Nowdays most people are using SSH =
for
| > authentication and they don't suffer this problem.
|=20
| It doesn't matter if they use SSH or something else, here we are talking =
about
| telnet and this needs to be fixed.

Like I said before.. I don't object. I just wanted a parameter.
Since I'm the only one "against" (in a certain manner) and unless someone
on tech-security@ comes up with some new objection, please commit the change
and request a 2.1 pullup (you or anyone who wants to take over the PRs).

		-- Rui Paulo

--JgQwtEuHJzHdouWu
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (NetBSD)

iD8DBQFDEEdXZPqyxs9FH4QRAtgFAJ0Vnf2qR4EyBdigV3+YFpDkAhOgIQCeLpmF
y2VEADQvLa9Jar9geNorBgY=
=FSkl
-----END PGP SIGNATURE-----

--JgQwtEuHJzHdouWu--