From owner-freebsd-security Wed Dec 25 01:04:03 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id BAA02820 for security-outgoing; Wed, 25 Dec 1996 01:04:03 -0800 (PST) Received: from hydrogen.nike.efn.org (resnet.uoregon.edu [128.223.170.28]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id BAA02785 for ; Wed, 25 Dec 1996 01:03:52 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hydrogen.nike.efn.org (8.8.3/8.8.3) with SMTP id BAA14894; Wed, 25 Dec 1996 01:03:13 -0800 (PST) Date: Wed, 25 Dec 1996 01:03:10 -0800 (PST) From: John-Mark Gurney X-Sender: jmg@hydrogen Reply-To: John-Mark Gurney To: Marc Slemko cc: freebsd-security@freefall.freebsd.org Subject: Re: attempted root login gives refused message when password correct instead of login incorrect... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 24 Dec 1996, Marc Slemko wrote: > On Tue, 24 Dec 1996, John-Mark Gurney wrote: > > > well.. I just noticed that if you telnet in and try to login as with the > > the correct password... you get the refused message instead of the login > > incorrect message... this seems a security whole as you can "obtain" the > > root password through this method... > > > > am I being overly worried? I have a patch that will report login > > incorrect when it's root when it was actually refused... this doesn't > > change the syslog entry... just want the user sees... > > The idea is that is you know the root password, then you have already been > authenticated as root so no information is being given away. If you are > going to try something like a dictionary attack then I guess it does make > something of a difference, but if such an attack can guess root's password > I think you have bigger problems. that probably is true... > I think that the primary reason that it explicitly states that root login > is refused on the terminal is so that people know why they can't login as > root when they try, and don't get confused thinking they have the wrong > password. that is a good point... > I'm not sure it is a big issue. I didn't think so... oh well... glad to get your thoughts on the subject... ttyl.. John-Mark gurney_j@efn.org http://resnet.uoregon.edu/~gurney_j/ Modem/FAX: (541) 683-6954 (FreeBSD Box) Live in Peace, destroy Micro$oft, support free software, run FreeBSD (unix)