[Pkg-shadow-devel] Bug#495831: Bug#495831: Entering non-existant username at login prompt causes error message

Nicolas François nicolas.francois at centraliens.net
Thu Aug 21 22:27:13 UTC 2008

On Wed, Aug 20, 2008 at 09:41:46PM +0200, timroerstroem at gmail.com wrote:
> At the console login prompt, entering a username which does not exist on
> the system, will immediately show an error message, thus revealing that
> the username is in fact non-existant on the system. This dramatically
> reduces the time it would take to brute-force your way into a user's
> account.

How immediate is this?
On my machines, it takes 3 seconds.
(You can also increase the delay parameter provided to the
pam_faildelay.so module in /etc/pam.d/login)

If it is really immediate on you machine, then I can't reproduce it

After this timeout, you receive a message which indicates that the login
is incorrect, which might give some indications to an attacker willing to
brute-force, but brute-forcing login names at a 1 login/3 seconds rate is
not critical.

You can alternatively change the pam_securetty.so control type from
"requisite" to "required". In that case, you will always have a password
prompt. Note that in that case, root passwords may accidentally be
communicated over insecure links (e.g. if the user enters roto instead of

Best Regards,

More information about the Pkg-shadow-devel mailing list