From owner-freebsd-security  Thu Mar 18  8:36:14 1999
Delivered-To: freebsd-security@freebsd.org
Received: from mail.euroweb.hu (mail.euroweb.hu [193.226.220.4])
	by hub.freebsd.org (Postfix) with ESMTP id C73591546A
	for <freebsd-security@freebsd.org>; Thu, 18 Mar 1999 08:36:05 -0800 (PST)
	(envelope-from hu006co@mail.euroweb.hu)
Received: (from hu006co@localhost)
	by mail.euroweb.hu (8.8.5/8.8.5) id RAA18419
	for freebsd-security@freebsd.org; Thu, 18 Mar 1999 17:35:44 +0100 (MET)
Received: (from zgabor@localhost)
	by CoDe.hu (8.8.8/8.8.8) id RAA00488
	for freebsd-security@freebsd.org; Thu, 18 Mar 1999 17:23:42 +0100 (CET)
	(envelope-from zgabor)
From: Zahemszky Gabor <zgabor@CoDe.hu>
Message-Id: <199903181623.RAA00488@CoDe.hu>
Subject: bug (?) in login limits from login.conf
To: freebsd-security@freebsd.org
Date: Thu, 18 Mar 1999 17:23:42 +0100 (CET)
X-Mailer: ELM [version 2.4ME+ PL38 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Hi!

I've found, that in my new 3.1RELEASE, there is an interesting bug in
login(1) with the /etc/login.conf ttys.deny/host.deny/times.deny mechanism.
(Well, I've found it on 2.2.5(?) and it works the same in 2.2.7.)
If there are any login restrictions (time/host or line) in /etc/login.conf,
login responds with:
<time restriction>:
``Logins not available right now''
<host/terminal restriction>:
``permission denied''
Instead of ``Login incorrect'' - of course, we have to know login/password.
But.  There is a little possibility, that on a machine, with such login
restrictions alive, I can find out some dummy users name/password.  If
something is wrong, I've got ``login incorrect''.  But if it's right, and
only not the correct time/line/host, we know it.  So we have a name/password
in our hands, so we have to try it another time, another line, from another
host ...

(Well, the same applies to /etc/login.access: instead of login incorrect, 
login(1) resposes: permission denied.)

As I know, login(1) says login incorrect, and not that: your password is
wrong.  And login(1) asks a password, and doesn't say: sorry, it's not a
good login name.  It's nothing, but information hiding.

I think, the correct form is:
good login -> login
bad login/restrictions/anything -> login incorrect

Bye,

ZGabor at CoDe dot HU

-- 
#!/bin/ksh
Z='21N16I25C25E30, 40M30E33E25T15U!' ;IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';set $Z ;for i { [[ $i = ? ]]&&print $i&&break;[[ $i = ??? ]]&&j=$i&&i=${i%?};typeset -i40 i=8#$i;print -n ${i#???};[[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;};IFS=' 0123456789 ';set $Z;X=;for i { [[ $i = , ]]&&i=2;[[ $i = ?? ]]||typeset -l i;X="$X $i";typeset +l i;};print "$X"


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message