--- On Sun, 21/12/08, Florian Weimer <f...@deneb.enyo.de> wrote: > The intent is to prevent accidental transmission of > cleartext > passwords. To achieve this, you have to abort the login > sequence > after the user name.
I think we have a design flaw here. If the user has a valid password, then he probably has the associated username information, and thus a valid login. If on the other hand, a hacker is guessing, which I reckon is more likely, we are feeding him username validation. (In my case, the default behaviour is less secure than the proposed revision.) I think we should have a switch here to allow the administrator to decide which behaviour is required. This report should be reopened as a feature request. Mark. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
