dce@mips.UUCP (04/10/87)
(This may actually apply in a broad sense to a 4.2BSD system as well,
even though a different security method is used, but I don't have one
that I can try it on.)
In 4.3BSD, one can only login as root on a port if the port is marked
"secure" in /etc/ttys. If you try to login as root on a port not marked
as such, the message "Login incorrect." is printed and you get a new
login prompt.
Our system administrator ran into this a couple of weeks ago when working
a newly-installed system (we don't ship /etc/ttys with ptys marked as
secure; should we?).
This struck him (and me) as odd, since the classic scenario in Unix
security is that login should *always* prompt for a password to make
sure that someone trying to break in can't tell if the username is
valid or not. The idea is that telling a breaker that an account name
is or isn't valid is giving him/her an edge, and so should be avoided.
Is there a good reason that login shouldn't go ahead and prompt for a
password in this case just for the sake of consistency?
--
David Elliott {decvax,ucbvax,ihnp4}!decwrl!mips!dce