Date: Sun, 23 Feb 1997 12:30:02 -0800 (PST) From: Mike Pritchard <mpp> To: freebsd-bugs Subject: Re: bin/2804: /usr/sbin/login reports: "root login refused on this terminal." when it should report "Login incorrect" Message-ID: <199702232030.MAA00903@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/2804; it has been noted by GNATS. From: Mike Pritchard <mpp> To: joerg_wunsch@uriah.heep.sax.de Cc: freebsd-gnats-submit Subject: Re: bin/2804: /usr/sbin/login reports: "root login refused on this terminal." when it should report "Login incorrect" Date: Sun, 23 Feb 1997 12:26:09 -0800 (PST) J Wunsch wrote: > > As Garrett Wollman wrote: > > > 1) Refuse immediately without asking for a password. > > > > or > > > > 2) Respond `root login refused on this terminal' without verifying the > > password. > > Both aren't correct either. They allow spying additional UID 0 > accounts. The rule I taught to follow was that you should never provide any more information than "login incorrect" because anything beyond that may help the intruder. Telling them "root logins refused" informs them right off that you have secure ttys enabled, and that they should go try to find another way into the machine. I think the only other case we don't just report "login incorrect" is if the account is expired, but you need to correct password first. Both cases should probably just report "login incorrect", and send a syslog message about. -- Mike Pritchard mpp@FreeBSD.org "Go that way. Really fast. If something gets in your way, turn"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702232030.MAA00903>