[Kernel-packages] [Bug 1294799] Re: login while invalid user (sanity check is missing)

Wed, 19 Mar 2014 15:41:32 -0700 

This is a security measure intended to prevent username enumeration --
this is an explicit design decision.

For more details, see e.g.
https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_
(OWASP-AT-002)

Thanks

** Information type changed from Private Security to Public Security

** Changed in: linux (Ubuntu)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1294799

Title:
  login while invalid user (sanity check is missing)

Status in “linux” package in Ubuntu:
  Invalid

Bug description:
  We have been working on ubuntu for a long time and used to login for access 
the machine using ssh,telnet and others services. I have been observed strange 
behavior when we were log-on. Usually if password is matched for the given 
username, it will authenticate to access the machine.
   
  Strange scenario:
  Lets assume, if we entered invalid username still it expects the password of 
invalid user. In this case, we always being in unsuccessful case. To avoid 
this, shall we block prompt for password if invalid username enters? We should 
report  as the entered username is invalid.
   
   
  root@murali:/etc/pam.d# ssh 10.100.1.106 -l XYZ ====> ( XYZ is an invalid 
user in this linux machine)
  XYZ@10.100.1.106's password:
  Permission denied, please try again.
  XYZ@10.100.1.106's password:
  Permission denied, please try again.
  XYZ@10.100.1.106's password:
  Permission denied (publickey,password).
  root@murali:/etc/pam.d#

  root@murali:/etc/pam.d# cat /etc/lsb-release
  DISTRIB_ID=Ubuntu
  DISTRIB_RELEASE=12.04
  DISTRIB_CODENAME=precise
  DISTRIB_DESCRIPTION="Ubuntu 12.04.2 LTS"
  root@murali:/etc/pam.d#

  Thanks
  Murali.S

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1294799/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to