I just tested this behavior on my Lenny/Sid workstation and Etch server... frightening indeed! Lenny does spit out an error whereas Etch still gives a password prompt.
however, since this happens at the login shell, I'd be more concerned about a user booting a liveCD. I assume SSH still behaves correctly? can someone verify? Thanks, -rb On Sat, Sep 13, 2008 at 1:20 AM, François Cerbelle <[EMAIL PROTECTED]> wrote: > > Le Sam 13 septembre 2008 04:47, s. keeling a écrit : > [...] >>> Try to login on any Lenny box console with an invalid account. >>> You will get "Incorrect login" without being prompted for a >>> password at all. >> What? And you get a shell prompt?!? >> > > Even if you do not have a shell, you do have an important information : > the login you tried does not exist. So, you can do a first rapid scan > based on dictionnary to find the existing users on the server. Then, you > can focus your attack on these accounts. > > If the system would ask a password, even if the account does not exist, > you can not know if the account exist or not. The security probleme is > here, if I good understood the previous message. > > As I use Etch, I was not able to test it on lenny and I did not test it on > Etch. > > > Fanfan > -- > http://www.cerbelle.net - http://www.afdm-idf.org > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
