From owner-freebsd-bugs Sun Feb 23 12:30:06 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id MAA00912 for bugs-outgoing; Sun, 23 Feb 1997 12:30:06 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id MAA00903; Sun, 23 Feb 1997 12:30:02 -0800 (PST) Date: Sun, 23 Feb 1997 12:30:02 -0800 (PST) Message-Id: <199702232030.MAA00903@freefall.freebsd.org> To: freebsd-bugs Cc: From: Mike Pritchard Subject: Re: bin/2804: /usr/sbin/login reports: "root login refused on this terminal." when it should report "Login incorrect" Reply-To: Mike Pritchard Sender: owner-bugs@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk The following reply was made to PR bin/2804; it has been noted by GNATS. From: Mike Pritchard To: joerg_wunsch@uriah.heep.sax.de Cc: freebsd-gnats-submit Subject: Re: bin/2804: /usr/sbin/login reports: "root login refused on this terminal." when it should report "Login incorrect" Date: Sun, 23 Feb 1997 12:26:09 -0800 (PST) J Wunsch wrote: > > As Garrett Wollman wrote: > > > 1) Refuse immediately without asking for a password. > > > > or > > > > 2) Respond `root login refused on this terminal' without verifying the > > password. > > Both aren't correct either. They allow spying additional UID 0 > accounts. The rule I taught to follow was that you should never provide any more information than "login incorrect" because anything beyond that may help the intruder. Telling them "root logins refused" informs them right off that you have secure ttys enabled, and that they should go try to find another way into the machine. I think the only other case we don't just report "login incorrect" is if the account is expired, but you need to correct password first. Both cases should probably just report "login incorrect", and send a syslog message about. -- Mike Pritchard mpp@FreeBSD.org "Go that way. Really fast. If something gets in your way, turn"