kernel-packages team mailing list archive

[Seth Arnold <1294799@xxxxxxxxxxxxxxxxxx>]

This is a security measure intended to prevent username enumeration --
this is an explicit design decision.

For more details, see e.g.
https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_
(OWASP-AT-002)

Thanks

** Information type changed from Private Security to Public Security

** Changed in: linux (Ubuntu)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1294799

Title:
  login while invalid user (sanity check is missing)

Status in “linux” package in Ubuntu:
  Invalid

Bug description:
  We have been working on ubuntu for a long time and used to login for access the machine using ssh,telnet and others services. I have been observed strange behavior when we were log-on. Usually if password is matched for the given username, it will authenticate to access the machine.
   
  Strange scenario:
  Lets assume, if we entered invalid username still it expects the password of invalid user. In this case, we always being in unsuccessful case. To avoid this, shall we block prompt for password if invalid username enters? We should report  as the entered username is invalid.
   
   
  root@murali:/etc/pam.d# ssh 10.100.1.106 -l XYZ ====> ( XYZ is an invalid user in this linux machine)
  XYZ@10.100.1.106's password:
  Permission denied, please try again.
  XYZ@10.100.1.106's password:
  Permission denied, please try again.
  XYZ@10.100.1.106's password:
  Permission denied (publickey,password).
  root@murali:/etc/pam.d#

  root@murali:/etc/pam.d# cat /etc/lsb-release
  DISTRIB_ID=Ubuntu
  DISTRIB_RELEASE=12.04
  DISTRIB_CODENAME=precise
  DISTRIB_DESCRIPTION="Ubuntu 12.04.2 LTS"
  root@murali:/etc/pam.d#

  Thanks
  Murali.S

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1294799/+subscriptions