Re: Root login
I just tested this behavior on my Lenny/Sid workstation and Etch
server... frightening indeed! Lenny does spit out an error whereas
Etch still gives a password prompt.
however, since this happens at the login shell, I'd be more concerned
about a user booting a liveCD. I assume SSH still behaves correctly?
can someone verify?
Thanks,
-rb
On Sat, Sep 13, 2008 at 1:20 AM, François Cerbelle
<francois@cerbelle.net> wrote:
>
> Le Sam 13 septembre 2008 04:47, s. keeling a écrit :
> [...]
>>> Try to login on any Lenny box console with an invalid account.
>>> You will get "Incorrect login" without being prompted for a
>>> password at all.
>> What? And you get a shell prompt?!?
>>
>
> Even if you do not have a shell, you do have an important information :
> the login you tried does not exist. So, you can do a first rapid scan
> based on dictionnary to find the existing users on the server. Then, you
> can focus your attack on these accounts.
>
> If the system would ask a password, even if the account does not exist,
> you can not know if the account exist or not. The security probleme is
> here, if I good understood the previous message.
>
> As I use Etch, I was not able to test it on lenny and I did not test it on
> Etch.
>
>
> Fanfan
> --
> http://www.cerbelle.net - http://www.afdm-idf.org
>
>
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
Reply to: