[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Small Bug

I was under the impression that most ftpd's and so on not only
ask for a password even if the user name entered was invalid,
but don't even bother checking the username until they have
a username/password pair.  Hence the also common error message:
"Invalid username/password".  (Which I think I've seen on a lot
of other UNIXen with login as well)

It does make more sense though that you should give the possible
attacker as little information about the system as you can.

______________________________ Reply Separator _________________________________
Subject: Small Bug
Author:  "Alan P. Laudicina" <alanp@linux.com> at Internet
Date:    2/23/00 8:58 PM

login> login alanp
login: alanp: Unknown user
login> login alan
This isn't a good idea security-wise.  Instead of the 'User 
Unknown' error, it should just ask for the password and error 
out with an Invalid Password error.  The way it is setup now
it could be used to guess login names, which is pretty much the 
reason that most ftpds ask for a password if there is no such 
username on the system anyways, now.
Alan P. Laudicina
|          Alan P. Laudicina / alanp@linux.com          | 
|  http://corp.linux.com  /  http://www.unixpower.org   | 
| "You can get more with a kind word and a gun than you | 
| can with a kind word alone." - Al Capone (1899-1947)  |
To UNSUBSCRIBE, email to debian-hurd-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: