[Pkg-shadow-devel] Bug#443322: Bug#443322: login: immediate 'Login incorrect' after unknown user name

Nicolas François nicolas.francois at centraliens.net
Thu Sep 20 17:11:38 UTC 2007


On Thu, Sep 20, 2007 at 05:29:00PM +0200, ingok at gmx.net wrote:
> when logging in with an unknown user name,
> the login is immediately rejected with 'Login incorrect'.  

That may have change between Sarge and Etch, when the login strategy
changed to use PAM.

> I suppose this is bad for security as it allows to
> more easily guess valid user names.

I don't think there are any security issue here. Your security should not
rely on usernames.

There are usually a lot of ways to find user names (starting by common
names like "root", using naming policies, looking at mail header, etc.)

If anything like this had to be implemented, a simple sleep in login would
not be sufficient. It would be better to implement a PAM module which
could enforce a login burst restriction policy for all the services of
a server.
(i.e. otherwise, you could still switch from a console to the other)

I'm still not closing this bug, and would prefer to have co-maintainers


More information about the Pkg-shadow-devel mailing list