Hi, I found something quite strange while fiddling with openssh on my firewall...
If I try to login using a valid username and a bogus password, I get a slight delay before getting another 'password:' prompt. However, If I use a bogus username _and_ a bogus password, the prompt appears immediately. I tested this on an up-to-date woody system and a sid one, and both exhibit the same behavior. I cannot believe it is intended, as it could be easily used to guess valid usernames remotely with some kind of brute force scanner. The pam_unix auth module seems to support a 'nodelay' argument, but that does not fix the whole brute force thing. Anyone more knowledgeable than me care to comment ? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
