Date: Fri, 21 Apr 2000 17:43:59 -0400 From: Bob Johnson <bobj@atlantic.net> To: questions@freebsd.org Subject: 3.4R telnet might not request password for bad userid Message-ID: <00042118131300.04490@scanner.engnet.ufl.edu>
next in thread | raw e-mail | index | archive | help
To clarify the subject line: I found that in 3.4-RELEASE, if I create /etc/skey.access, then if I telnet to the system and enter an invalid user ID, the login is aborted without ever requesting a password. It does NOT allow an invalid user to log on, but it does give an attacker a method of identifying a valid user id. An "invalid user ID" is, in this case, any user that is not allowed to login with S/Key, either because the user doesn't exist, or is not enabled in skey.access. When I telnet to the system, it looks something like this: Connected to x.y.ufl.edu. Escape character is '^]'. login: fred Login incorrect login: I fixed the problem by editing /etc/pam.conf and changing the line login auth requisite pam_cleartext_pass_ok.so to login auth required pam_cleartext_pass_ok.so My questions are: 1) Have I introduced some new problem by making this change? 2) Does this problem exist in 3.4-STABLE, and if not, is the fix significantly better than what I did? Upgrading to 3.4-STABLE would be a real pain for at least one of the systems I encountered this on. By the way, I cannot reproduce this on 4.0-RELEASE, so it got fixed somewhere along the way. -- Bob To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00042118131300.04490>