You are not logged in.
- Topics: Active | Unanswered
#1 2007-11-23 07:55:55
- funkyou
- Member
- From: Berlin, DE
- Registered: 2006-03-19
- Posts: 848
- Website
login in console denying the username?
Hi there,
some minutes ago i tried to login on one of my virtual consoles and did a small typo on the username. The reaction was quite surprising, maybe you get it when looking at the output:
Arch Linux (Core Dump) 2.6.23-kamikaze (flusenfalle)
flusenfalle login: roto
Login incorrect
flusenfalle login: jana
Login incorrect
flusenfalle login: jan
Password:
Last Login: bla bla...
[jan@flusenfalle ~]$ _I never seen this before... Isnt the login supposed to take every username at first (even if it doesnt exist) and print out the "Password:" anyway before finally denying the login when i entered a password for the non-existant user?
At least i know it worked this way since years... And this seems to be the default in Arch, as i never changed anything regarding this...
I consider this as a security issue, because with a little knowledge about myself it would be easier for a local attacker to compromise my system, because its easy to find out which users exist on my machine... (and thats a start, sure there a passords, but its a start...)
So, how can i change this to the ol' trusty behaviour i am used to?
want a modular and tweaked KDE for arch? try kdemod
Offline
#2 2007-11-23 08:36:11
- mucknert
- Member
- From: Berlin // Germany
- Registered: 2006-06-27
- Posts: 510
Re: login in console denying the username?
Wow. Just wow. That really *IS* a security-issue. I have to check that out when I am home.
Todays mistakes are tomorrows catastrophes.
Offline
#3 2007-11-23 09:45:19
- dolby
- Member
- From: 1992
- Registered: 2006-08-08
- Posts: 1,581
Re: login in console denying the username?
maybe this is related in any way to the kernel u use? have u tried the ARCH kernel?
sorry but with the posts ive seen regarding this particular kernel i dont trust it at all
There shouldn't be any reason to learn more editor types than emacs or vi -- mg (1)
[You learn that sarcasm does not often work well in international forums. That is why we avoid it. -- ewaller (arch linux forum moderator)
Offline
#4 2007-11-23 09:48:37
- somairotevoli
- Member
- Registered: 2006-05-23
- Posts: 335
Re: login in console denying the username?
I can confirm this on stock kernel. Does not ask for password, says Login incorrect
Offline
#5 2007-11-23 09:50:17
- dolby
- Member
- From: 1992
- Registered: 2006-08-08
- Posts: 1,581
Re: login in console denying the username?
right, now that u mention it, happens here too
There shouldn't be any reason to learn more editor types than emacs or vi -- mg (1)
[You learn that sarcasm does not often work well in international forums. That is why we avoid it. -- ewaller (arch linux forum moderator)
Offline
#6 2007-11-23 10:08:00
- tomk
- Forum Fellow
- From: Ireland
- Registered: 2004-07-21
- Posts: 9,839
Re: login in console denying the username?
funkyou, or anyone - post a bug please, we'll look at it.
Offline
#7 2007-11-23 10:27:29
- funkyou
- Member
- From: Berlin, DE
- Registered: 2006-03-19
- Posts: 848
- Website
Re: login in console denying the username?
funkyou, or anyone - post a bug please, we'll look at it.
Ok, i am now posting a bug... Just wanted to check out at first if i am maybe the only one experiencing this.
maybe this is related in any way to the kernel u use? have u tried the ARCH kernel?
sorry but with the posts ive seen regarding this particular kernel i dont trust it at all
I like the kamikaze kernel, it works fast and reliable for me... But i am using my own PKGBUILDs for it, and also dont use the latest version. If its stable and has no problems, i keep it...
want a modular and tweaked KDE for arch? try kdemod
Offline
#8 2007-11-23 10:34:11
- mucknert
- Member
- From: Berlin // Germany
- Registered: 2006-06-27
- Posts: 510
Re: login in console denying the username?
The kernel does not handle logins. That's done by userspace-applications. So even an old kernel 2.0 shouldn't provoke this behavior.
Todays mistakes are tomorrows catastrophes.
Offline
#9 2007-11-24 10:56:07
- byte
- Member
- From: Düsseldorf (DE)
- Registered: 2006-05-01
- Posts: 2,046
Re: login in console denying the username?
I wondered about this, too. I bet it comes from the PAM update several weeks ago, but I couldn't find anything in the ChangeLog.
1000
Offline
#10 2007-11-26 19:07:12
- phrakture
- Arch Overlord
- From: behind you
- Registered: 2003-10-29
- Posts: 7,879
- Website
Re: login in console denying the username?
This is an issue with pam. If anyone wants to look into this, it'd be appretiated.
I compared /etc/pam.d/ files on ubuntu and arch, and there weren't many differences.
Possibly, try changing the pam_unix line in /etc/pam.d/login to:
auth required pam_unix.so nullok auditThe "audit" option should give a large amount of output to syslog, so you could maybe try to get some info...
Offline
#11 2007-11-26 21:11:39
- F
- Member
- Registered: 2006-10-09
- Posts: 322
Re: login in console denying the username?
excuse my ignorance, but why is this a problem?
Offline
#12 2007-11-26 21:52:24
- rson451
- Member
- From: Annapolis, MD USA
- Registered: 2007-04-15
- Posts: 1,233
- Website
Re: login in console denying the username?
because you can try a bunch of usernames and if they dont exist it wont ask for a password, but if it does exist it will ask for a password. therefore the person/script/whatever can find out legitimate usernames on that system.
Last edited by rson451 (2007-11-26 21:53:18)
archlinux - please read this and this — twice — then ask questions.
--
http://rsontech.net | http://github.com/rson
Offline