Hi Yes, this is a security problem. Letting people probe usernames compromises Unix security - the behaviour must be identical, including the time taken, whether the username is valid or not (There was once a hole introduced when someone decided not to bother hashing the supplied password if the username was invalid, thereby informing attackers of username validity by the time it took to reject them on an idle machine) Unix is used in many contexts that you cannot begin to imagine - something as generic as Debian even more, so arguments of the form "I can't think of a circumstance where this would be a problem any more" are just display sleepwalking naivety. Just to knock the specific example of this kind of thinking, if someone steals my laptop, I don't want them having an easy life by being able to probe for usernames and then just having the passwords to guess. Another example: we run a service is a squat in Sicily, providing email to hundreds of people, but we can't afford a guard to sit by the server 24 hours a day... Please maintain regular Unix security on *all* entry points, not just the bare minumum that applies in your own particular circumstance! Don't change what ain't broke...
Thanks M -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]