HP-UX exhibits the same behavior. Actually, when I questioned this behavior on comp.sys.hp.hpux a while back (look for the subject "Better remote access denial than securetty?" through DejaNews if you're interested), the only response I got took the approach that it was more of a feature than a bug. But I didn't think the arguments given were a strong enough case against just dropping root login attempts that weren't at the console. So maybe the vendors don't see it as a bug? I certainly do. Kevin At 04:14 PM 9/28/98 -0700, D.A. Harris wrote: > >Actually, something that I think is a bug in IRIX, something that hasn't been >fixed in 6.5, is the behavior of login when you specify that root can >only login into /dev/console (this can be set in /etc/default/login). >Instead of immediately denying someone access when they try to telnet >or rlogin as root to a box, it lets you still attempt the password, and >only denies you access when you get the password correct. So a hacker would >know that they have the right root password, so all he has to do is hack >a user account, probably not too difficult. What login should do is once >root gets entered at the login prompt, it should give an error and disconnect, >that why no potential hint to the root password would be given. > > >-- >Dale Harris <rodmurat_private> PGP KeyID: E26EC5FD >System Administrator ph. (530) 898-4421 >Computer Graphics, Instructional Media Center fax. (530) 898-5369 >California State University, Chico, California 95929-0005 >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > -- Kevin Hawkins - NCSA Security email: khawkinsat_private PGP: http://www.ncsa.uiuc.edu/People/khawkins/pgp.html
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:18:26 PDT