From nobody  Sun Feb 23 09:04:23 1997
Received: (from nobody@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id JAA18706;
          Sun, 23 Feb 1997 09:04:23 -0800 (PST)
Message-Id: <199702231704.JAA18706@freefall.freebsd.org>
Date: Sun, 23 Feb 1997 09:04:23 -0800 (PST)
From: froden@bigblue.no
To: freebsd-gnats-submit@freebsd.org
Subject: /usr/sbin/login reports: "root login refused on this terminal." when it should report "Login incorrect"
X-Send-Pr-Version: www-1.0

>Number:         2804
>Category:       bin
>Synopsis:       /usr/sbin/login reports: "root login refused on this terminal." when it should report "Login incorrect"
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    davidn
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Feb 23 09:10:01 PST 1997
>Closed-Date:    Wed Mar 19 03:28:48 EST 1997
>Last-Modified:  Wed Mar 19 03:29:41 EST 1997
>Originator:     Frode Nordahl
>Release:        2.1.5-RELEASE / 2.1.7-RELEASE
>Organization:
Big Blue Systems AS
>Environment:
FreeBSD login.bigblue.no 2.1.5-RELEASE FreeBSD 2.1.5-RELEASE #0: Fri Feb 21 13:26:04 MET 1997     root@login.bigblue.no:/usr/src/sys/compile/LOGIN  i386
>Description:
When telneting into, or using any non-secure port on a FreeBSD system,
/usr/sbin/login reports "root login refused on this terminal." when you
try to log in as root with correct password.

It should however report "Login incorect" no matter if the password is
correct or not, if not outside users can test and find out what your
root password is without even loging in.
>How-To-Repeat:
telnet to a FreeBSD machine and login with root with correct password.
>Fix:
Alter /usr/sbin/login to report "Login incorect" instead of
"login refused on this terminal" ?
>Release-Note:
>Audit-Trail:

From: Garrett Wollman <wollman@lcs.mit.edu>
To: froden@bigblue.no
Cc: freebsd-gnats-submit@freebsd.org
Subject: bin/2804: /usr/sbin/login reports: "root login refused on this terminal." when it should report "Login incorrect"
Date: Sun, 23 Feb 1997 13:04:07 -0500

 <<On Sun, 23 Feb 1997 09:04:23 -0800 (PST), froden@bigblue.no said:
 
 >> Synopsis:       /usr/sbin/login reports: "root login refused on this terminal." when it should report "Login incorrect"
 
 That's really not very useful.  I would suggest that you have this
 backwards: when a root login is attempted on an insecure terminal, it
 should either:
 
 1) Refuse immediately without asking for a password.
 
 or
 
 2) Respond `root login refused on this terminal' without verifying the
 password.
 
 -GAWollman
 
 --
 Garrett A. Wollman   | O Siem / We are all family / O Siem / We're all the same
 wollman@lcs.mit.edu  | O Siem / The fires of freedom 
 Opinions not those of| Dance in the burning flame
 MIT, LCS, ANA, or NSA|                     - Susan Aglukark and Chad Irschick

From: Mike Pritchard <mpp>
To: joerg_wunsch@uriah.heep.sax.de
Cc: freebsd-gnats-submit
Subject: Re: bin/2804: /usr/sbin/login reports: "root login refused on this terminal." when it should report "Login incorrect"
Date: Sun, 23 Feb 1997 12:26:09 -0800 (PST)

 J Wunsch wrote:
 > 
 > As Garrett Wollman wrote:
 > 
 > >  1) Refuse immediately without asking for a password.
 > >  
 > >  or
 > >  
 > >  2) Respond `root login refused on this terminal' without verifying the
 > >  password.
 > 
 > Both aren't correct either.  They allow spying additional UID 0
 > accounts.
 
 The rule I taught to follow was that you should never provide any 
 more information than "login incorrect" because anything beyond that 
 may help the intruder.  Telling them "root logins refused" informs 
 them right off that you have secure ttys enabled, and that they should
 go try to find another way into the machine.  
 
 I think the only other case we don't just report "login incorrect" is if 
 the account is expired, but you need to correct password first.
 
 Both cases should probably just report "login incorrect", and send
 a syslog message about.
 -- 
 Mike Pritchard
 mpp@FreeBSD.org
 "Go that way.  Really fast.  If something gets in your way, turn"

From: j@uriah.heep.sax.de (J Wunsch)
To: mpp@freefall.freebsd.org (Mike Pritchard)
Cc: freebsd-gnats-submit@freefall.freebsd.org
Subject: Re: bin/2804: /usr/sbin/login reports: "root login refused on this terminal." when it should report "Login incorrect"
Date: Sun, 23 Feb 1997 22:03:08 +0100

 As Mike Pritchard wrote:
 
 > Both cases should probably just report "login incorrect", and send
 > a syslog message about.
 
 I also think so.  Note that we've plugged a similar hole in uucpd long
 ago (in FreeBSD 1.1.5.1 or earlier), while it's still wide open in
 4.4BSD-Lite2.
 
 -- 
 cheers, J"org
 
 joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE
 Never trust an operating system you don't have sources for. ;-)
Responsible-Changed-From-To: freebsd-bugs->davidn 
Responsible-Changed-By: davidn 
Responsible-Changed-When: Mon Feb 24 15:03:50 EST 1997 
Responsible-Changed-Why:  
I'll fix this with other changes planned for login. 

From: Garrett Wollman <wollman@lcs.mit.edu>
To: joerg_wunsch@uriah.heep.sax.de (Joerg Wunsch)
Cc: freebsd-gnats-submit@freefall.freebsd.org
Subject: Re: bin/2804: /usr/sbin/login reports: "root login refused on this terminal." when it should report "Login incorrect"
Date: Mon, 24 Feb 1997 10:16:15 -0500

 <<On Sun, 23 Feb 1997 20:48:58 +0100, j@uriah.heep.sax.de (J Wunsch) said:
 
 > Both aren't correct either.  They allow spying additional UID 0
 > accounts.
 
 There shouldn't be any additional UID 0 accoinds.
 
 -GAWollman
 
 --
 Garrett A. Wollman   | O Siem / We are all family / O Siem / We're all the same
 wollman@lcs.mit.edu  | O Siem / The fires of freedom 
 Opinions not those of| Dance in the burning flame
 MIT, LCS, ANA, or NSA|                     - Susan Aglukark and Chad Irschick
State-Changed-From-To: open->closed 
State-Changed-By: davidn 
State-Changed-When: Wed Mar 19 03:28:48 EST 1997 
State-Changed-Why:  
Fixed in revision 1.19 of login.c. 
>Unformatted:
