kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #50476
[Bug 1294799] Re: login while invalid user (sanity check is missing)
This is a security measure intended to prevent username enumeration --
this is an explicit design decision.
For more details, see e.g.
https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_
(OWASP-AT-002)
Thanks
** Information type changed from Private Security to Public Security
** Changed in: linux (Ubuntu)
Status: New => Invalid
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1294799
Title:
login while invalid user (sanity check is missing)
Status in “linux” package in Ubuntu:
Invalid
Bug description:
We have been working on ubuntu for a long time and used to login for access the machine using ssh,telnet and others services. I have been observed strange behavior when we were log-on. Usually if password is matched for the given username, it will authenticate to access the machine.
Strange scenario:
Lets assume, if we entered invalid username still it expects the password of invalid user. In this case, we always being in unsuccessful case. To avoid this, shall we block prompt for password if invalid username enters? We should report as the entered username is invalid.
root@murali:/etc/pam.d# ssh 10.100.1.106 -l XYZ ====> ( XYZ is an invalid user in this linux machine)
XYZ@10.100.1.106's password:
Permission denied, please try again.
XYZ@10.100.1.106's password:
Permission denied, please try again.
XYZ@10.100.1.106's password:
Permission denied (publickey,password).
root@murali:/etc/pam.d#
root@murali:/etc/pam.d# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=12.04
DISTRIB_CODENAME=precise
DISTRIB_DESCRIPTION="Ubuntu 12.04.2 LTS"
root@murali:/etc/pam.d#
Thanks
Murali.S
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1294799/+subscriptions