[Pkg-shadow-devel] Bug#531341: prints "login incorrect" without asking for password when entering an invalid login

[Dmitri Gribenko]

Package: login
Version: 1:4.1.3.1-1
Severity: normal


If you enter an invalid login, you get "login incorrect" immediately.  Expected
behavior is that password should be asked regardless of login correctness.
This is to mitigate user enumeration attacks.

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (900, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-rc7-3218911f-30may2009 (SMP w/2 CPU cores)
Locale: LANG=ru_UA.UTF-8, LC_CTYPE=ru_UA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages login depends on:
ii  libc6                         2.9-12     GNU C Library: Shared libraries
ii  libpam-modules                1.0.1-9    Pluggable Authentication Modules f
ii  libpam-runtime                1.0.1-9    Runtime support for the PAM librar
ii  libpam0g                      1.0.1-9    Pluggable Authentication Modules l

login recommends no packages.

login suggests no packages.

-- no debconf information