Subject: Re: Re: lib/30923
To: Martin Husemann <martin@duskware.de>
From: Bill Studenmund <wrstuden@netbsd.org>
List: current-users
Date: 08/26/2005 10:23:03
--/Uq4LBwYP4y1W6pO
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Fri, Aug 26, 2005 at 12:15:44AM +0200, Martin Husemann wrote:
> On Thu, Aug 25, 2005 at 11:00:54AM +0200, Zafer Aydogan wrote:
> > Rui, you don't seem to get it. A Message is printed by syslog on the
> > console. The Message that should be removed is on the remote end.
> > That is a security issue!
>=20
> Apparently it is not clear to everyone that the traditional behaviour
> suddenly is wrong from a security POV (or noone uses telnetd any
> more nor runs insecure ttys).
While I agree with what I understand the change is (make the wrong=20
password and right-password-wrong-terminal messages the same), I agree=20
it's a change w.r.t. past behavior.
> A PR is not the right place to discuss this - maybe bring this up on
> tech-security and if consensus is reached, someone might apply the=20
> rumored patch (the PR has no patch, as of a few minutes ago).
I think such a discussion would be good. I think we should make this=20
change, but getting some attention paid to it in a security-focused=20
setting will be good too.
Take care,
Bill
--/Uq4LBwYP4y1W6pO
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)
iD8DBQFDD0/3Wz+3JHUci9cRAs97AKCTTV6g6FOcTFNamjpgMtX4JaaKtQCdFqwG
pBOdnnhUhECtivSEBKYqtaQ=
=5NsE
-----END PGP SIGNATURE-----
--/Uq4LBwYP4y1W6pO--