From nobody@FreeBSD.org  Tue Jan 22 08:46:24 2002
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 78C2D37B433
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 22 Jan 2002 08:46:16 -0800 (PST)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g0MGkGp34798;
	Tue, 22 Jan 2002 08:46:16 -0800 (PST)
	(envelope-from nobody)
Message-Id: <200201221646.g0MGkGp34798@freefall.freebsd.org>
Date: Tue, 22 Jan 2002 08:46:16 -0800 (PST)
From: Aragon Gouveia <aragon@phat.za.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: ftpd indiscrete about unprivileged user accounts
X-Send-Pr-Version: www-1.0

>Number:         34171
>Category:       bin
>Synopsis:       ftpd(8) indiscrete about unprivileged user accounts
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jan 22 08:50:01 PST 2002
>Closed-Date:    
>Last-Modified:  Tue Jul 10 03:31:49 UTC 2012
>Originator:     Aragon Gouveia
>Release:        4.4
>Organization:
none
>Environment:
FreeBSD root.nis.za 4.4-STABLE FreeBSD 4.4-STABLE #0: Fri Dec  7 14:07:57 SAST 2001     root@root.nis.za:/usr/src/sys/compile/ROOT i386
>Description:
      When logging in via the ftpd and entering login information for, say, a none existant account simply returns a "530 Login incorrect" after entering username AND password. However, try login with an account that does exist, but whose shell is not listed in /etc/shells, and you get a "530 User xxxx access denied" after *only* entering the username. This immediately confirms to the client that the username does exist on the system! Not good imho.
>How-To-Repeat:
# telnet localhost 21
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 localhost FTP server (Version 6.00LS) ready.
user nobody
530 User nobody access denied.
quit
221 Goodbye.
Connection closed by foreign host.
>Fix:
      
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->yar 
Responsible-Changed-By: kris 
Responsible-Changed-When: Sat Jul 12 17:33:08 PDT 2003 
Responsible-Changed-Why:  
Assign to ftpd maintainer 

http://www.freebsd.org/cgi/query-pr.cgi?pr=34171 
State-Changed-From-To: open->suspended 
State-Changed-By: yar 
State-Changed-When: Tue Mar 2 10:48:38 PST 2004 
State-Changed-Why:  
Security through obscurity has proved inefficient. 
Enforcing strong authentication schemes and random passwords 
is way better than hiding user names. 

Therefore this issue is purely cosmetic and therefore stored 
in the refrigerator for someone having too much free time ;-) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=34171 
State-Changed-From-To: suspended->open 
State-Changed-By: eadler 
State-Changed-When: Tue Jul 10 03:31:44 UTC 2012 
State-Changed-Why:  
there are other reasons to hide usernames (see sshd for example); open 
bug and hand over to the pool. I have not verified this is still the 
current behavior. 


Responsible-Changed-From-To: yar->freebsd-bugs 
Responsible-Changed-By: eadler 
Responsible-Changed-When: Tue Jul 10 03:31:44 UTC 2012 
Responsible-Changed-Why:  
there are other reasons to hide usernames (see sshd for example); open 
bug and hand over to the pool. I have not verified this is still the 
current behavior. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=34171 
>Unformatted:
