Hi, On Sun, May 31, 2009 at 09:27:09PM +0300, Dmitri Gribenko wrote: > > If you enter an invalid login, you get "login incorrect" immediately. > Expected behavior is that password should be asked regardless of login > correctness. This is to mitigate user enumeration attacks.
Please look at the pam_securetty.so section in /etc/pam.d/login There are two contradicting security goals which are to avoid having root's password entered on unsafe lines (and unknown users should be considered as a mistyped 'root'), and to avoid leaking information regarding existing users. I don't really know how to handle this bug. My preference would go to close it (which I will do in a few week if there are no answers). Another solution could be to keep it as wontfix as an "information bug" and wait until somebody finds a cleaner solution. Dmitri, changing the inclusion of pam_securetty.so from requisite to required is probably what you are looking for. Best Regards, -- Nekral -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
