From owner-freebsd-bugs Mon Mar 24 14:50:06 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id OAA16513 for bugs-outgoing; Mon, 24 Mar 1997 14:50:06 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id OAA16503; Mon, 24 Mar 1997 14:50:03 -0800 (PST) Resent-Date: Mon, 24 Mar 1997 14:50:03 -0800 (PST) Resent-Message-Id: <199703242250.OAA16503@freefall.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, fenner@parc.xerox.com Received: from alpha.xerox.com (alpha.Xerox.COM [13.1.64.93]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id OAA16035 for ; Mon, 24 Mar 1997 14:44:58 -0800 (PST) Received: from klute.parc.xerox.com ([13.2.116.207]) by alpha.xerox.com with SMTP id <15794(7)>; Mon, 24 Mar 1997 14:44:20 PST Received: from sundae.parc.xerox.com ([13.2.117.33]) by klute.parc.xerox.com with SMTP id <59168>; Mon, 24 Mar 1997 14:43:55 PST Received: (from fenner@localhost) by sundae.parc.xerox.com (8.8.5/8.8.5) id LAA04413; Mon, 24 Mar 1997 11:03:20 GMT Message-Id: <199703241103.LAA04413@sundae.parc.xerox.com> Date: Mon, 24 Mar 1997 03:03:20 PST From: Bill Fenner Reply-To: fenner@parc.xerox.com To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: bin/3084: possible to determine lack of root password over the network Sender: owner-bugs@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >Number: 3084 >Category: bin >Synopsis: possible to determine lack of root password over the network >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Mar 24 14:50:01 PST 1997 >Last-Modified: >Originator: Bill Fenner >Organization: Xerox >Release: FreeBSD 2.2-RELEASE i386 >Environment: Just installed a fresh 2.2-RELEASE, haven't gotten around to setting a root password yet. >Description: Telnetting to the machine and attempting to log on as root exposes the fact that there is no root password, even though the message was changed from "root login refused" to "login incorrect": FreeBSD (sundae.parc.xerox.com) (ttyp1) login: root Login incorrect login: >How-To-Repeat: Try to log on as root on an insecure pty on a machine with no root password. >Fix: Ask for a password even if root doesn't have one, if you're going to say "login incorrect" to try to hide information. >Audit-Trail: >Unformatted: