On Wed, Aug 20, 2008 at 09:41:46PM +0200, [EMAIL PROTECTED] wrote: > > At the console login prompt, entering a username which does not exist on > the system, will immediately show an error message, thus revealing that > the username is in fact non-existant on the system. This dramatically > reduces the time it would take to brute-force your way into a user's > account.
How immediate is this? On my machines, it takes 3 seconds. (You can also increase the delay parameter provided to the pam_faildelay.so module in /etc/pam.d/login) If it is really immediate on you machine, then I can't reproduce it currently. After this timeout, you receive a message which indicates that the login is incorrect, which might give some indications to an attacker willing to brute-force, but brute-forcing login names at a 1 login/3 seconds rate is not critical. You can alternatively change the pam_securetty.so control type from "requisite" to "required". In that case, you will always have a password prompt. Note that in that case, root passwords may accidentally be communicated over insecure links (e.g. if the user enters roto instead of root). Best Regards, -- Nekral -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
