You are not logged in.
Hi there,
some minutes ago i tried to login on one of my virtual consoles and did a small typo on the username. The reaction was quite surprising, maybe you get it when looking at the output:
Arch Linux (Core Dump) 2.6.23-kamikaze (flusenfalle)
flusenfalle login: roto
Login incorrect
flusenfalle login: jana
Login incorrect
flusenfalle login: jan
Password:
Last Login: bla bla...
[jan@flusenfalle ~]$ _
I never seen this before... Isnt the login supposed to take every username at first (even if it doesnt exist) and print out the "Password:" anyway before finally denying the login when i entered a password for the non-existant user?
At least i know it worked this way since years... And this seems to be the default in Arch, as i never changed anything regarding this...
I consider this as a security issue, because with a little knowledge about myself it would be easier for a local attacker to compromise my system, because its easy to find out which users exist on my machine... (and thats a start, sure there a passords, but its a start...)
So, how can i change this to the ol' trusty behaviour i am used to?
want a modular and tweaked KDE for arch? try kdemod
Offline
Wow. Just wow. That really *IS* a security-issue. I have to check that out when I am home.
Todays mistakes are tomorrows catastrophes.
Offline
maybe this is related in any way to the kernel u use? have u tried the ARCH kernel?
sorry but with the posts ive seen regarding this particular kernel i dont trust it at all
There shouldn't be any reason to learn more editor types than emacs or vi -- mg (1)
[You learn that sarcasm does not often work well in international forums. That is why we avoid it. -- ewaller (arch linux forum moderator)
Offline
I can confirm this on stock kernel. Does not ask for password, says Login incorrect
Offline
right, now that u mention it, happens here too
There shouldn't be any reason to learn more editor types than emacs or vi -- mg (1)
[You learn that sarcasm does not often work well in international forums. That is why we avoid it. -- ewaller (arch linux forum moderator)
Offline
funkyou, or anyone - post a bug please, we'll look at it.
Offline
funkyou, or anyone - post a bug please, we'll look at it.
Ok, i am now posting a bug... Just wanted to check out at first if i am maybe the only one experiencing this.
maybe this is related in any way to the kernel u use? have u tried the ARCH kernel?
sorry but with the posts ive seen regarding this particular kernel i dont trust it at all
I like the kamikaze kernel, it works fast and reliable for me... But i am using my own PKGBUILDs for it, and also dont use the latest version. If its stable and has no problems, i keep it...
want a modular and tweaked KDE for arch? try kdemod
Offline
The kernel does not handle logins. That's done by userspace-applications. So even an old kernel 2.0 shouldn't provoke this behavior.
Todays mistakes are tomorrows catastrophes.
Offline
I wondered about this, too. I bet it comes from the PAM update several weeks ago, but I couldn't find anything in the ChangeLog.
1000
Offline
This is an issue with pam. If anyone wants to look into this, it'd be appretiated.
I compared /etc/pam.d/ files on ubuntu and arch, and there weren't many differences.
Possibly, try changing the pam_unix line in /etc/pam.d/login to:
auth required pam_unix.so nullok audit
The "audit" option should give a large amount of output to syslog, so you could maybe try to get some info...
Offline
excuse my ignorance, but why is this a problem?
Offline
because you can try a bunch of usernames and if they dont exist it wont ask for a password, but if it does exist it will ask for a password. therefore the person/script/whatever can find out legitimate usernames on that system.
Last edited by rson451 (2007-11-26 21:53:18)
archlinux - please read this and this — twice — then ask questions.
--
http://rsontech.net | http://github.com/rson
Offline