I was under the impression that most ftpd's and so on not only
ask for a password even if the user name entered was invalid,
but don't even bother checking the username until they have
a username/password pair. Hence the also common error message:
"Invalid username/password". (Which I think I've seen on a lot
of other UNIXen with login as well)
It does make more sense though that you should give the possible
attacker as little information about the system as you can.
______________________________ Reply Separator _________________________________
Subject: Small Bug
Author: "Alan P. Laudicina" <[EMAIL PROTECTED]> at Internet
Date: 2/23/00 8:58 PM
login> login alanp
login: alanp: Unknown user
login> login alan
Password:
This isn't a good idea security-wise. Instead of the 'User
Unknown' error, it should just ask for the password and error
out with an Invalid Password error. The way it is setup now
it could be used to guess login names, which is pretty much the
reason that most ftpds ask for a password if there is no such
username on the system anyways, now.
Thanks,
Alan P. Laudicina
--
| Alan P. Laudicina / [EMAIL PROTECTED] |
| http://corp.linux.com / http://www.unixpower.org |
| "You can get more with a kind word and a gun than you |
| can with a kind word alone." - Al Capone (1899-1947) |
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
