From owner-freebsd-security Tue Dec 24 20:19:10 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id UAA26098 for security-outgoing; Tue, 24 Dec 1996 20:19:10 -0800 (PST) Received: from hydrogen.nike.efn.org (resnet.uoregon.edu [128.223.170.28]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id UAA26088 for ; Tue, 24 Dec 1996 20:19:06 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hydrogen.nike.efn.org (8.8.3/8.8.3) with SMTP id SAA13701 for ; Tue, 24 Dec 1996 18:41:25 -0800 (PST) Date: Tue, 24 Dec 1996 18:41:25 -0800 (PST) From: John-Mark Gurney X-Sender: jmg@hydrogen Reply-To: John-Mark Gurney To: freebsd-security@freefall.freebsd.org Subject: attempted root login gives refused message when password correct instead of login incorrect... Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk well.. I just noticed that if you telnet in and try to login as with the the correct password... you get the refused message instead of the login incorrect message... this seems a security whole as you can "obtain" the root password through this method... am I being overly worried? I have a patch that will report login incorrect when it's root when it was actually refused... this doesn't change the syslog entry... just want the user sees... thanks for your time... John-Mark gurney_j@efn.org http://resnet.uoregon.edu/~gurney_j/ Modem/FAX: (541) 683-6954 (FreeBSD Box) Live in Peace, destroy Micro$oft, support free software, run FreeBSD (unix)