| Summary: | Invalid users vs. PAM (protocol 1 only (?)) | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Pavel Kankovsky <peak> | ||||
| Component: | sshd | Assignee: | OpenSSH Bugzilla mailing list <openssh-bugs> | ||||
| Status: | CLOSED FIXED | ||||||
| Severity: | minor | ||||||
| Priority: | P2 | ||||||
| Version: | -current | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Attachments: |
|
||||||
|
Description
Pavel Kankovsky
2002-02-13 12:10:56 AEDT
Created attachment 24 [details]
Fake username for invalid ssh protocol 1 users
Does the attached patch help? It works for me - committing. Why NOUSER? What is wrong with the user they specified? Why can't we do the full auth for the user - let PAM do its thing and then bail? This would allow users who use pam_unix's 'audit' flag (for example) to get accurate and consistant failed password logs across all deamons on a system. Then, if for some reason PAM still thinks they are perfectly valid (despite no /etc/passwd entry) *then* we kill it off. How does this sound? I'll propose a patch if required. NOUSER hides disclosure of passwords from users who accidentally type their password into a login prompt. please open another buf if you want to change the functionality. Well, when a user types his/her password as a login name, it will probably appear in the log anyway (in a message generated by sshd itself: Feb 14 15:07:14 kunhuta sshd[17775]: Failed password for illegal user blabla from 127.0.0.1 port 2995). Nevertheless, the patch appears to solve the problem I reported. Mass change of RESOLVED bugs to CLOSED |