[Pkg-shadow-devel] Bug#531341: Bug#531341: prints "login incorrect" without asking for password when entering an invalid login
Christian Perrier
bubulle at debian.org
Mon Jun 1 06:14:35 UTC 2009
Quoting Dmitri Gribenko (gribozavr at gmail.com):
> Package: login
> Version: 1:4.1.3.1-1
> Severity: normal
>
>
> If you enter an invalid login, you get "login incorrect" immediately. Expected
> behavior is that password should be asked regardless of login correctness.
> This is to mitigate user enumeration attacks.
login uses PAM for this and defaults settings are correct wrt brute
force attackes, with a 3 seconds delay before answering "Login incorrect".
Please check your /etc/pam.d/login file, it's probably missing a line
like this:
auth optional pam_faildelay.so delay=3000000
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20090601/ddf6bb93/attachment.pgp>
More information about the Pkg-shadow-devel
mailing list