From owner-freebsd-questions Mon Apr 3 19:33:12 2000 Delivered-To: freebsd-questions@freebsd.org Received: from berlin.atlantic.net (berlin.atlantic.net [209.208.0.20]) by hub.freebsd.org (Postfix) with ESMTP id EFCB237B9A0 for ; Mon, 3 Apr 2000 19:32:50 -0700 (PDT) (envelope-from bobj@atlantic.net) Received: from mail.atlantic.net (mail.atlantic.net [209.208.0.71]) by berlin.atlantic.net (8.9.3/8.9.3) with ESMTP id WAA01555 for ; Mon, 3 Apr 2000 22:36:06 -0400 Received: from bsd.cisi.com (ocalflifanb-as-1-r1-ip-521.atlantic.net [209.208.17.13]) by mail.atlantic.net (8.9.3/8.9.3) with ESMTP id WAA19517 for ; Mon, 3 Apr 2000 22:32:40 -0400 Received: from nancy.cisi.com (nancy.cisi.com [192.168.0.131]) by bsd.cisi.com (8.9.3/8.9.3) with SMTP id WAA40230 for ; Mon, 3 Apr 2000 22:30:40 -0400 (EDT) (envelope-from bobj@atlantic.net) Message-Id: <3.0.6.32.20000403223004.009bbb50@rio.atlantic.net> X-Sender: bobj@rio.atlantic.net X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.6 (32) Date: Mon, 03 Apr 2000 22:30:04 -0400 To: questions@freebsd.org From: Bob Johnson Subject: 3.4-R telnetd doesn't prompt for password on bad user id Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I have 4 FreeBSD systems. One is 2.2.8 and is fine for the purposes of this question. One is 3.4-RC#4 Fri Dec 17 1999, and it also has no significant problems, although I don't know why I installed 3.4-RC and never upgraded it. Two of them are 3.4-RELEASE Mon Dec 20 1999. If I telnet to either of them, it does not prompt for a password if I enter an invalid user id: it simply prints "Login incorrect" and displays the login prompt again. This allows a bored attacker to try logins until he hits a valid userid. One of the two 3.4-RELEASE systems has a kernel built from 3.4-STABLE sources Mon, Mar 27, 2000. The other uses the GENERIC kernel from the original install. Both seem to behave the same. So: 1) Is this a known problem that I just couldn't find in the archives, or 2) have I managed to misconfigure something to cause this? I'm not at all sure I have enough drive space left (not to mention spare time) to build a 3.4-STABLE system. And yes, I normally use SSH. I would have discovered this much sooner if I didn't. -- Bob +-------------------------------------------------------- | Bob Johnson | bobj@atlantic.net +-------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message