* Mark Hobley: > --- On Sun, 21/12/08, Florian Weimer <f...@deneb.enyo.de> wrote: > >> The intent is to prevent accidental transmission of >> cleartext >> passwords. To achieve this, you have to abort the login >> sequence >> after the user name. > > I think we have a design flaw here. If the user has a valid > password, then he probably has the associated username information, > and thus a valid login. If on the other hand, a hacker is guessing, > which I reckon is more likely, we are feeding him username > validation. (In my case, the default behaviour is less secure than > the proposed revision.)
Yes, there is a trade-off. > I think we should have a switch here to allow the administrator to > decide which behaviour is required. As I wrote before, it is possible to configure vsftpd in the way you want using PAM. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
