HP-UX exhibits the same behavior. Actually, when I questioned this
behavior on comp.sys.hp.hpux a while back (look for the subject
"Better remote access denial than securetty?" through DejaNews if
you're interested), the only response I got took the approach that
it was more of a feature than a bug. But I didn't think the arguments
given were a strong enough case against just dropping root login
attempts that weren't at the console.
So maybe the vendors don't see it as a bug? I certainly do.
Kevin
At 04:14 PM 9/28/98 -0700, D.A. Harris wrote:
>
>Actually, something that I think is a bug in IRIX, something that hasn't been
>fixed in 6.5, is the behavior of login when you specify that root can
>only login into /dev/console (this can be set in /etc/default/login).
>Instead of immediately denying someone access when they try to telnet
>or rlogin as root to a box, it lets you still attempt the password, and
>only denies you access when you get the password correct. So a hacker would
>know that they have the right root password, so all he has to do is hack
>a user account, probably not too difficult. What login should do is once
>root gets entered at the login prompt, it should give an error and
disconnect,
>that why no potential hint to the root password would be given.
>
>
>--
>Dale Harris <rodmurat_private> PGP KeyID: E26EC5FD
>System Administrator ph. (530) 898-4421
>Computer Graphics, Instructional Media Center fax. (530) 898-5369
>California State University, Chico, California 95929-0005
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
--
Kevin Hawkins - NCSA Security
email: khawkinsat_private
PGP: http://www.ncsa.uiuc.edu/People/khawkins/pgp.html
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:18:26 PDT