login while invalid user (sanity check is missing)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
We have been working on ubuntu for a long time and used to login for access the machine using ssh,telnet and others services. I have been observed strange behavior when we were log-on. Usually if password is matched for the given username, it will authenticate to access the machine.
Strange scenario:
Lets assume, if we entered invalid username still it expects the password of invalid user. In this case, we always being in unsuccessful case. To avoid this, shall we block prompt for password if invalid username enters? We should report as the entered username is invalid.
root@murali:
XYZ@10.100.1.106's password:
Permission denied, please try again.
XYZ@10.100.1.106's password:
Permission denied, please try again.
XYZ@10.100.1.106's password:
Permission denied (publickey,
root@murali:
root@murali:
DISTRIB_ID=Ubuntu
DISTRIB_
DISTRIB_
DISTRIB_
root@murali:
Thanks
Murali.S
This is a security measure intended to prevent username enumeration -- this is an explicit design decision.
For more details, see e.g. https:/ /www.owasp. org/index. php/Testing_ for_User_ Enumeration_ and_Guessable_ User_Account_ (OWASP- AT-002)
Thanks