Re: Small Bug

To: debian-hurd@lists.debian.org
Cc: debian-hurd@lists.debian.org
Subject: Re: Small Bug
From: dallen@capitalone.com
Date: Thu, 24 Feb 2000 16:25:25 -0500
Message-id: <0031F794.C22211@capitalone.com>

I was under the impression that most ftpd's and so on not only
ask for a password even if the user name entered was invalid,
but don't even bother checking the username until they have
a username/password pair.  Hence the also common error message:
"Invalid username/password".  (Which I think I've seen on a lot
of other UNIXen with login as well)

It does make more sense though that you should give the possible
attacker as little information about the system as you can.

______________________________ Reply Separator _________________________________
Subject: Small Bug
Author:  "Alan P. Laudicina" <alanp@linux.com> at Internet
Date:    2/23/00 8:58 PM


login> login alanp
login: alanp: Unknown user
login> login alan
Password:
     
This isn't a good idea security-wise.  Instead of the 'User 
Unknown' error, it should just ask for the password and error 
out with an Invalid Password error.  The way it is setup now
it could be used to guess login names, which is pretty much the 
reason that most ftpds ask for a password if there is no such 
username on the system anyways, now.
     
Thanks,
Alan P. Laudicina
     
-- 
|          Alan P. Laudicina / alanp@linux.com          | 
|  http://corp.linux.com  /  http://www.unixpower.org   | 
| "You can get more with a kind word and a gun than you | 
| can with a kind word alone." - Al Capone (1899-1947)  |
     
     
-- 
To UNSUBSCRIBE, email to debian-hurd-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: Small Bug
  - From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>

Prev by Date: Re: Me again (Postgresql)
Next by Date: Fdisk doesn't work
Previous by thread: Small Bug
Next by thread: Re: Small Bug
Index(es):
- Date
- Thread