Hi, Is there a way to get the same error message from PAM errors, as when the user doesn't exist?
I think, in other words, the question boils down to: is it possible to disable the native /etc/passwd authentication mechanism, and rely on PAM exclusively? When I try a non-existant user, I get: -ERR [AUTH] Password supplied for "asdf" is incorrect. But users that exist will return (from PAM): -ERR [AUTH] PAM authentication failed for user "apache": Authentication failure (7) This can obviously be used to find out legal user names, and I therefore call it a security issue. Have fun, Johann P.S. I've subscribed now, so gmane readers may get double copies. If you don't know what gmane is, then don't worry.
