[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Behavior of module that support /etc/nologin

On Mon, 31 Mar 1997, Andrew G. Morgan wrote:
>> I notice that if my system has an /etc/nologin file, logins are denied (as
>> they should be), but users always receive the "Login incorrect" message,
>> whether there's something in /etc/nologin or not.  Is this considered
>> "correct" behavior, or is this a glitch?  It seems rather misleading,
>> whatever the case.
>This is correct. For security reasons, an attacking user is not supposed to
>know why they failed to gain access to the system.  Legitimate users have
>other means of doing this.

But if the contents of /etc/nologin (if any) are displayed if (and
only if) the user enters a correct username and password, you've just
given away that the username/password combination is correct, even if
the attacker hasn't gained shell account because of the (presumably
temporary) login restriction.  It seems to me that, in order to be
consistant, you should either display "Login incorrect" *and nothing else*
in all cases that the user is not allowed in, or remove the misleading
"Login incorrect" message when /etc/nologin takes effect for users that
successfully authenticate.  Currently, if /etc/nologin contains anything,
the "Login incorrect" serves absolutely no purpose except to confuse
legitimate users.  If you want to dictate that /etc/nologin shouldn't
contain a message specifically so that it doesn't serve as an indication
that the login attempt was successful, then you should go ahead and
disable the printing of its contents in /bin/login (or whereever).

    Steve Coile           P a t r i o t  N e t      Systems Engineering
 scoile@patriot.net      Patriot Computer Group        (703) 277-7737

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []