From fenner@parc.xerox.com  Mon Mar 24 14:44:59 1997
Received: from alpha.xerox.com (alpha.Xerox.COM [13.1.64.93])
          by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id OAA16035
          for <FreeBSD-gnats-submit@freebsd.org>; Mon, 24 Mar 1997 14:44:58 -0800 (PST)
Received: from klute.parc.xerox.com ([13.2.116.207]) by alpha.xerox.com with SMTP id <15794(7)>; Mon, 24 Mar 1997 14:44:20 PST
Received: from sundae.parc.xerox.com ([13.2.117.33]) by klute.parc.xerox.com with SMTP id <59168>; Mon, 24 Mar 1997 14:43:55 PST
Received: (from fenner@localhost)
	by sundae.parc.xerox.com (8.8.5/8.8.5) id LAA04413;
	Mon, 24 Mar 1997 11:03:20 GMT
Message-Id: <199703241103.LAA04413@sundae.parc.xerox.com>
Date: Mon, 24 Mar 1997 03:03:20 PST
From: Bill Fenner <fenner@parc.xerox.com>
Reply-To: fenner@parc.xerox.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: possible to determine lack of root password over the network
X-Send-Pr-Version: 3.2

>Number:         3084
>Category:       bin
>Synopsis:       possible to determine lack of root password over the network
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    davidn
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Mar 24 14:50:01 PST 1997
>Closed-Date:    Tue Mar 25 16:34:15 EST 1997
>Last-Modified:  Mon Apr 21 10:40:01 PDT 1997
>Originator:     Bill Fenner
>Release:        FreeBSD 2.2-RELEASE i386
>Organization:
Xerox
>Environment:

	
Just installed a fresh 2.2-RELEASE, haven't gotten around to setting
a root password yet.

>Description:

	
Telnetting to the machine and attempting to log on as root exposes
the fact that there is no root password, even though the message was
changed from "root login refused" to "login incorrect":

FreeBSD (sundae.parc.xerox.com) (ttyp1)

login: root
Login incorrect
login: 


>How-To-Repeat:

	
Try to log on as root on an insecure pty on a machine with no root password.


>Fix:
	
	

Ask for a password even if root doesn't have one, if you're going to
say "login incorrect" to try to hide information.

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->davidn 
Responsible-Changed-By: davidn 
Responsible-Changed-When: Tue Mar 25 16:11:45 EST 1997 
Responsible-Changed-Why:  
"I'm working on login. 
State-Changed-From-To: open->closed 
State-Changed-By: davidn 
State-Changed-When: Tue Mar 25 16:34:15 EST 1997 
State-Changed-Why:  
Fixed in -current and 2.2 branches. 

From: David Nugent <davidn@unique.usn.blaze.net.au>
To: fenner@parc.xerox.com
Cc: FreeBSD-gnats-submit@FreeBSD.ORG, Bill Fenner <fenner@parc.xerox.com>
Subject: RE: bin/3084: possible to determine lack of root password over t
Date: Tue, 22 Apr 1997 03:33:46 +1000 (EST)

        
 > Telnetting to the machine and attempting to log on as root exposes
 > the fact that there is no root password, even though the message was
 > changed from "root login refused" to "login incorrect":
 
 This was fixed in a subsequent commit to the RELENG_2_2 branch, and
 duplicates a previous PR.
 
 >> Fix:
 
 Fetch the latest src/usr.bin/login sources, recompile and install.
 
 Regards,
 
 David Nugent - Unique Computing Pty Ltd - Melbourne, Australia
 Voice +61-3-9791-9547  Data/BBS +61-3-9792-3507  3:632/348@fidonet
 davidn@freebsd.org davidn@blaze.net.au http://www.blaze.net.au/~davidn/
>Unformatted:
