[Pkg-shadow-devel] Bug#443322: Yes, maintain the original behaviour
martinwguy at yahoo.it
Thu Sep 11 09:45:15 UTC 2008
Yes, this is a security problem.
Letting people probe usernames compromises Unix security - the
behaviour must be identical, including the time taken, whether the
username is valid or not
(There was once a hole introduced when someone decided not to bother
hashing the supplied password if the username was invalid, thereby
informing attackers of username validity by the time it took to reject
them on an idle machine)
Unix is used in many contexts that you cannot begin to imagine -
something as generic as Debian even more, so arguments of the form "I
can't think of a circumstance where this would be a problem any more"
are just display sleepwalking naivety. Just to knock the specific
example of this kind of thinking, if someone steals my laptop, I don't
want them having an easy life by being able to probe for usernames and
then just having the passwords to guess. Another example: we run a
service is a squat in Sicily, providing email to hundreds of people,
but we can't afford a guard to sit by the server 24 hours a day...
Please maintain regular Unix security on *all* entry points, not
just the bare minumum that applies in your own particular
circumstance! Don't change what ain't broke...
More information about the Pkg-shadow-devel