From owner-freebsd-security Tue Dec 24 20:54:13 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id UAA27065 for security-outgoing; Tue, 24 Dec 1996 20:54:13 -0800 (PST) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id UAA27058 for ; Tue, 24 Dec 1996 20:54:11 -0800 (PST) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.7.5/8.7.3) with UUCP id VAA29000; Tue, 24 Dec 1996 21:54:09 -0700 (MST) Received: from localhost (marcs@localhost) by alive.ampr.ab.ca (8.7.5/8.7.3) with SMTP id VAA29708; Tue, 24 Dec 1996 21:53:21 -0700 (MST) Date: Tue, 24 Dec 1996 21:53:21 -0700 (MST) From: Marc Slemko X-Sender: marcs@alive.ampr.ab.ca To: John-Mark Gurney cc: freebsd-security@freefall.freebsd.org Subject: Re: attempted root login gives refused message when password correct instead of login incorrect... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 24 Dec 1996, John-Mark Gurney wrote: > well.. I just noticed that if you telnet in and try to login as with the > the correct password... you get the refused message instead of the login > incorrect message... this seems a security whole as you can "obtain" the > root password through this method... > > am I being overly worried? I have a patch that will report login > incorrect when it's root when it was actually refused... this doesn't > change the syslog entry... just want the user sees... The idea is that is you know the root password, then you have already been authenticated as root so no information is being given away. If you are going to try something like a dictionary attack then I guess it does make something of a difference, but if such an attack can guess root's password I think you have bigger problems. I think that the primary reason that it explicitly states that root login is refused on the terminal is so that people know why they can't login as root when they try, and don't get confused thinking they have the wrong password. I'm not sure it is a big issue.