[641] in linux-security and linux-alert archive
[linux-security] Security bug in login (RedHat 2.1 .30.3)
daemon@ATHENA.MIT.EDU (Wojciech Zwiefka)
Mon Mar 25 19:19:00 1996
Date: Mon, 25 Mar 1996 11:46:22 +0100 (MET)
From: Wojciech Zwiefka <wojtekz@gumbeers.elka.pg.gda.pl>
To: redhat-list@redhat.com
Cc: linux-security@tarsier.cv.nrao.edu
[mod: This was originally sent to linux-alert, but I felt that this problem
is not serious enough to warrant a full-blown alert, so I'm redirecting
it to linux-security. system logs should be read-protected anyway.
--okir]
Hi,
There is a "little" security bug in login in RedHat 2.1 & 3.0.3
login is logging failure logins via syslogd. It should log each attempt
for KONWN accounts and starting from 2 attempt for unknown accounts (to
avoid logging of password writen by mistake)
Here goes sample from syslog
Mar 25 10:42:10 alf login: 2 LOGIN FAILURES ON tty4, blahblah
Mar 25 10:42:15 alf login: ROOT LOGIN ON tty4
It is printed that there were 2 login failures on tty4, blahblah but to
say the truth I tried only ONCE - so after ONE attempt on unknown account
the attemp is logged (e.g. root password is by mistake used as login name
and then root corrects himself and logs with right login and password. So
any one can see root password.) Of course it is the worst scenario - it
could be any user password
Wojtek Zwiefka
P.S.1.
I didn't try using login from logdaemon-5.0 by Wietse Venema on
Linux (I use it on Ultrix) by maybe it will work
P.S.2.
(Little fragment from README.WVZ from logdaemon-5.0 by Wietse Venema)
This version of 4.3 BSD NET1 login.c has been hacked for SunOS 4.x,
and SunOS 5.x, Ultrix 4.x and other systems.
The enhanced login command reports every login failure that is not
followed by a successful login (the threshold for reporting a failure
is 1 for known account names, 2 for other names). Unfortunately, only
the SunOS5 variant of the program supports shadow passwords and
password aging. See below for a list of enhancements.
--
Wojciech Zwiefka <wojtekz@gumbeers.elka.pg.gda.pl>
Technical University of Gdansk, Poland
