Date: Thu, 8 Apr 1999 15:20:42 -0400 (EDT) From: Daniel Hagan <dhagan@cs.vt.edu> To: FreeBsd-security@freebsd.org Subject: Login & s/key brain damage? Message-ID: <Pine.OSF.4.02.9904081509520.19340-100000@vtopus.cs.vt.edu>
index | next in thread | raw e-mail
On a FreeBSD-3.1-Release system, I've configured the following in /etc/skey.access ----->8----- permit group wheel internet (my network) (my netmask) # Force everyone to login with skey. deny ----->8----- This seems to work just as advertised, except for one thing: Logging in with an invalid username results in immediate error message while valid accounts proceed to the password prompt: ----->8----- %telnet localhost Trying 127.0.0.1... Connected to localhost.cs.vt.edu. Escape character is '^]'. FreeBSD/i386 (myhost.cs.vt.edu) (ttyp2) login: bozo Login incorrect login: root s/key 94 po93853 Password: ----->8----- It seems to me that a more correct behavior would be to always present a (possibly random) skey challenge, and only reject the login after they try a password. This current situation seems to present an easy way of id-ing userid's on a system that someone wants secure. Is this correct behavior, or should we think about modifying login(1)? Daniel -- Daniel Hagan Computer Systems Engineer dhagan@cs.vt.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the messagehelp
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.OSF.4.02.9904081509520.19340-100000>