Ubuntu
linux package

login while invalid user (sanity check is missing)

Bug #1294799 reported by murali selvaraj
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

We have been working on ubuntu for a long time and used to login for access the machine using ssh,telnet and others services. I have been observed strange behavior when we were log-on. Usually if password is matched for the given username, it will authenticate to access the machine.

Strange scenario:
Lets assume, if we entered invalid username still it expects the password of invalid user. In this case, we always being in unsuccessful case. To avoid this, shall we block prompt for password if invalid username enters? We should report as the entered username is invalid.

root@murali:/etc/pam.d# ssh 10.100.1.106 -l XYZ ====> ( XYZ is an invalid user in this linux machine)
XYZ@10.100.1.106's password:
Permission denied, please try again.
XYZ@10.100.1.106's password:
Permission denied, please try again.
XYZ@10.100.1.106's password:
Permission denied (publickey,password).
root@murali:/etc/pam.d#

root@murali:/etc/pam.d# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=12.04
DISTRIB_CODENAME=precise
DISTRIB_DESCRIPTION="Ubuntu 12.04.2 LTS"
root@murali:/etc/pam.d#

Thanks
Murali.S

Revision history for this message
Seth Arnold (seth-arnold) wrote :

This is a security measure intended to prevent username enumeration -- this is an explicit design decision.

For more details, see e.g. https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002)

Thanks

information type: Private Security → Public Security
Changed in linux (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.