[Pkg-shadow-devel] Bug#495831: Bug#495831: Entering non-existant username at login prompt causes error message
Christian Perrier
bubulle at debian.org
Thu Aug 21 04:58:19 UTC 2008
Quoting Tim Rørstrøm (timroerstroem at gmail.com):
> Package: login
> Version: 1:4.1.1-3
> Severity: grave
> Tags: security
> Justification: user security hole
>
> At the console login prompt, entering a username which does not exist on the system, will immediately show an error message, thus revealing that the username is in fact non-existant on the system. This dramatically reduces the time it would take to brute-force your way into a user's account.
Could you please send the content of /etc/pam.d/login ?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20080821/522277fd/attachment.pgp
More information about the Pkg-shadow-devel
mailing list