dce@mips.UUCP (04/10/87)
(This may actually apply in a broad sense to a 4.2BSD system as well, even though a different security method is used, but I don't have one that I can try it on.) In 4.3BSD, one can only login as root on a port if the port is marked "secure" in /etc/ttys. If you try to login as root on a port not marked as such, the message "Login incorrect." is printed and you get a new login prompt. Our system administrator ran into this a couple of weeks ago when working a newly-installed system (we don't ship /etc/ttys with ptys marked as secure; should we?). This struck him (and me) as odd, since the classic scenario in Unix security is that login should *always* prompt for a password to make sure that someone trying to break in can't tell if the username is valid or not. The idea is that telling a breaker that an account name is or isn't valid is giving him/her an edge, and so should be avoided. Is there a good reason that login shouldn't go ahead and prompt for a password in this case just for the sake of consistency? -- David Elliott {decvax,ucbvax,ihnp4}!decwrl!mips!dce