From owner-freebsd-questions Fri Apr 21 15:13:13 2000 Delivered-To: freebsd-questions@freebsd.org Received: from smtp.ufl.edu (sp28fe.nerdc.ufl.edu [128.227.128.108]) by hub.freebsd.org (Postfix) with ESMTP id 6A81B37B9FB for ; Fri, 21 Apr 2000 15:13:10 -0700 (PDT) (envelope-from bobj@atlantic.net) Received: from scanner.engnet.ufl.edu (scanner.engnet.ufl.edu [128.227.152.221]) by smtp.ufl.edu (8.9.3/8.9.3/2.2.1) with SMTP id SAA264232 for ; Fri, 21 Apr 2000 18:13:08 -0400 From: Bob Johnson To: questions@freebsd.org Subject: 3.4R telnet might not request password for bad userid Date: Fri, 21 Apr 2000 17:43:59 -0400 X-Mailer: KMail [version 1.0.28] Content-Type: text/plain MIME-Version: 1.0 Message-Id: <00042118131300.04490@scanner.engnet.ufl.edu> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG To clarify the subject line: I found that in 3.4-RELEASE, if I create /etc/skey.access, then if I telnet to the system and enter an invalid user ID, the login is aborted without ever requesting a password. It does NOT allow an invalid user to log on, but it does give an attacker a method of identifying a valid user id. An "invalid user ID" is, in this case, any user that is not allowed to login with S/Key, either because the user doesn't exist, or is not enabled in skey.access. When I telnet to the system, it looks something like this: Connected to x.y.ufl.edu. Escape character is '^]'. login: fred Login incorrect login: I fixed the problem by editing /etc/pam.conf and changing the line login auth requisite pam_cleartext_pass_ok.so to login auth required pam_cleartext_pass_ok.so My questions are: 1) Have I introduced some new problem by making this change? 2) Does this problem exist in 3.4-STABLE, and if not, is the fix significantly better than what I did? Upgrading to 3.4-STABLE would be a real pain for at least one of the systems I encountered this on. By the way, I cannot reproduce this on 4.0-RELEASE, so it got fixed somewhere along the way. -- Bob To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message