[Pkg-shadow-devel] Bug#531341: Debian bug 531341

[Goswin von Brederlow]

Nicolas François <nicolas.francois at centraliens.net> writes:

> Hello,
>
> On Mon, Jul 20, 2009 at 02:01:27PM -0500, tallgirl at austin.rr.com wrote:
>> 
>> I think that you're confusing the requirement that unknown user names
>> not be logged, because they might be a user's password with the
>> non-existent requirement that all unknown user names be treated like
>> "root" and not prompted for a password.
>
> No, I was not mentioning the case where an user types her password instead
> of her username.
>
>> If you still think you're right, I'd like to see the source for the
>> requirement.  I've been through a number of formal evaluations as the
>> vendor lead (IBM) and we never had that requirement under any evaluation
>> scheme.
>
> I cannot point you to any source of requirements, except mine:
>  1. root's password should not be transmitted on insecure lines
>     => The password should not be prompted if login is on an insecure line
>        and login thinks the user might be root.
>  2. root can mistype her username
>     => Any invalid user might be a mistyped "root"

You can run some heuristic:
1) if user exists and is not root then it is probably not mistyped
2) if user is similar to root (like rot) then assume mistyped
3) assume normal user otherwise

If root mistypes his user name as kfgerjhfgsdgfvedj I think then we
can blame root itself. Same if root allows a user rot to be created
and then mistypes his name. In the end the user name is clearly
visible. Watch what you type.

>  3. login should not leak information about the valid usernames on the
>     system.
>     => The user should be prompted a password whether the username is valid
>        or not.

We all know there is a root user already so no information is leaked. :)

> I do not think those requirements can be satisfied at the same time.

But near enough.

MfG
        Goswin