Re: less secure login
David Jardine wrote:
When logging into a console under squeeze, a false user name is now
rejected immediately. Up to recently there was no reaction to a
false user name until the password had been entered.
Although I personally find the new behaviour more convenient, it
seems to me less secure to give an intruder feedback on his guess at
the user name before he goes on to guessing the password.
I couldn't find anything relevant to the change in the docs under
/usr/share/doc/login - but I don't even know that that's the right
place to look.
Is this a bug or a supposed feature? And which package is involved?
Not sure if you are looking for that, but have a look in /etc/pam.d/login:
# Disallows root logins except on tty's listed in /etc/securetty
# (Replaces the `CONSOLE' setting from login.defs)
# Note that it is included as a "requisite" module. No password prompts will
# be displayed if this module fails to avoid having the root password
# transmitted on unsecure ttys.
# You can change it to a "required" module if you think it permits to
# guess valid user names of your system (invalid user names are considered
# as possibly being root).
auth requisite pam_securetty.so