[Pkg-shadow-devel] Bug#443322: Bug#443322: login: immediate 'Login incorrect' after unknown user name
Nicolas François
nicolas.francois at centraliens.net
Thu Sep 20 17:11:38 UTC 2007
Hello,
On Thu, Sep 20, 2007 at 05:29:00PM +0200, ingok at gmx.net wrote:
>
> when logging in with an unknown user name,
> the login is immediately rejected with 'Login incorrect'.
That may have change between Sarge and Etch, when the login strategy
changed to use PAM.
> I suppose this is bad for security as it allows to
> more easily guess valid user names.
I don't think there are any security issue here. Your security should not
rely on usernames.
There are usually a lot of ways to find user names (starting by common
names like "root", using naming policies, looking at mail header, etc.)
If anything like this had to be implemented, a simple sleep in login would
not be sufficient. It would be better to implement a PAM module which
could enforce a login burst restriction policy for all the services of
a server.
(i.e. otherwise, you could still switch from a console to the other)
I'm still not closing this bug, and would prefer to have co-maintainers
opinion.
--
Nekral
More information about the Pkg-shadow-devel
mailing list