Date: Tue, 24 Dec 1996 21:53:21 -0700 (MST) From: Marc Slemko <marcs@znep.com> To: John-Mark Gurney <gurney_j@resnet.uoregon.edu> Cc: freebsd-security@freefall.freebsd.org Subject: Re: attempted root login gives refused message when password correct instead of login incorrect... Message-ID: <Pine.BSF.3.95.961224214847.26976C-100000@alive.ampr.ab.ca> In-Reply-To: <Pine.NEB.3.95.961224183835.1209P-100000@hydrogen>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 24 Dec 1996, John-Mark Gurney wrote: > well.. I just noticed that if you telnet in and try to login as with the > the correct password... you get the refused message instead of the login > incorrect message... this seems a security whole as you can "obtain" the > root password through this method... > > am I being overly worried? I have a patch that will report login > incorrect when it's root when it was actually refused... this doesn't > change the syslog entry... just want the user sees... The idea is that is you know the root password, then you have already been authenticated as root so no information is being given away. If you are going to try something like a dictionary attack then I guess it does make something of a difference, but if such an attack can guess root's password I think you have bigger problems. I think that the primary reason that it explicitly states that root login is refused on the terminal is so that people know why they can't login as root when they try, and don't get confused thinking they have the wrong password. I'm not sure it is a big issue.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.961224214847.26976C-100000>