[2124] in linux-security and linux-alert archive
[linux-security] Quirks in telnet
daemon@ATHENA.MIT.EDU (Suchandra Thapa)
Sat Feb 13 03:46:43 1999
Date: Fri, 12 Feb 1999 20:10:25 -0600 (CST)
From: Suchandra Thapa <soonu@sl-175-044.rh.uchicago.edu>
Reply-To: s-thapa@uchicago.edu
To: linux-security@redhat.com
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com
I noticed a wierd quirk in telnet on redhat 5.2 that
seems to allow others to verify whether an account name exists
on a linux machine or not. If you telnet into a machine and
use an username that does not exist, you get four attempts
before the telnet session is closed. If the username exists
then you have three attempts before the session is closed.
I know that there are other ways to find out whether
an account exists on a machine or not. But this allows you
verify that an account exists using service that is almost
always running.
[mod: I think we discussed this already. I guess someone almost
fixed it... :-( -- REW]
------------------------------------------------------------------
Suchandra S. Thapa
s-thapa@uchicago.edu
------------------------------------------------------------------
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null
