[Pkg-shadow-devel] Bug#495831: Bug#495831: Entering non-existant username at login prompt causes error message
Nicolas François
nicolas.francois at centraliens.net
Thu Aug 21 22:27:13 UTC 2008
On Wed, Aug 20, 2008 at 09:41:46PM +0200, timroerstroem at gmail.com wrote:
>
> At the console login prompt, entering a username which does not exist on
> the system, will immediately show an error message, thus revealing that
> the username is in fact non-existant on the system. This dramatically
> reduces the time it would take to brute-force your way into a user's
> account.
How immediate is this?
On my machines, it takes 3 seconds.
(You can also increase the delay parameter provided to the
pam_faildelay.so module in /etc/pam.d/login)
If it is really immediate on you machine, then I can't reproduce it
currently.
After this timeout, you receive a message which indicates that the login
is incorrect, which might give some indications to an attacker willing to
brute-force, but brute-forcing login names at a 1 login/3 seconds rate is
not critical.
You can alternatively change the pam_securetty.so control type from
"requisite" to "required". In that case, you will always have a password
prompt. Note that in that case, root passwords may accidentally be
communicated over insecure links (e.g. if the user enters roto instead of
root).
Best Regards,
--
Nekral
More information about the Pkg-shadow-devel
mailing list