From owner-freebsd-questions  Tue Apr  4  3:25:46 2000
Delivered-To: freebsd-questions@freebsd.org
Received: from axl.ops.uunet.co.za (axl.ops.uunet.co.za [196.31.1.175])
	by hub.freebsd.org (Postfix) with ESMTP id 55E9237B6EB
	for <questions@freebsd.org>; Tue,  4 Apr 2000 03:25:42 -0700 (PDT)
	(envelope-from sheldonh@axl.ops.uunet.co.za)
Received: from sheldonh (helo=axl.ops.uunet.co.za)
	by axl.ops.uunet.co.za with local-esmtp (Exim 3.13 #1)
	id 12cQWY-000Mf4-00; Tue, 04 Apr 2000 12:25:30 +0200
From: Sheldon Hearn <sheldonh@uunet.co.za>
To: Bob Johnson <bobj@atlantic.net>
Cc: questions@FreeBSD.ORG
Subject: Re: 3.4-R telnetd doesn't prompt for password on bad user id 
In-reply-to: Your message of "Mon, 03 Apr 2000 22:30:04 -0400."
             <3.0.6.32.20000403223004.009bbb50@rio.atlantic.net> 
Date: Tue, 04 Apr 2000 12:25:30 +0200
Message-ID: <87113.954843930@axl.ops.uunet.co.za>
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG



On Mon, 03 Apr 2000 22:30:04 -0400, Bob Johnson wrote:

> Two of them are 3.4-RELEASE Mon Dec 20 1999.  If I telnet to either of 
> them, it does not prompt for a password if I enter an invalid user id: 
> it simply prints "Login incorrect" and displays the login prompt again.
> This allows a bored attacker to try logins until he hits a valid userid.

Weird.  I'm using 5.0-CURRENT and I don't see this.  Two things come to
mind, though:

1) Are you _sure_ you're using the stock /usr/libexec/telnetd ?
2) Are you perhaps using Kerberized telnet?

Ciao,
Sheldon.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message