Bugtraq mailing list archives
Re: Solaris non-root login (was: IRIX 6.2 pass...)
From: R.J.Yates () OPEN AC UK (Richard Yates SPG)
Date: Tue, 29 Sep 1998 15:13:32 +0100
Eugene Bradley writes:
On 28 Sep 98, @ 16:14, D.A. Harris <rodmur () ECST CSUCHICO EDU> wrote:Actually, something that I think is a bug in IRIX, something that hasn't been fixed in 6.5, is the behavior of login when you specify that root can only login into /dev/console (this can be set in /etc/default/login). Instead of immediately denying someone access when they try to telnet or rlogin as root to a box, it lets you still attempt the password, and only denies you access when you get the password correct. [ ... ]This login bug also exists on every version of Solaris that I've worked with, from 2.3 all the way to 2.6 HW 5/98 <rant> [ ... ] </rant>
Solaris 2.3: passwd/wrongpw => chucked off, no msg/Not on system console. Solaris 2.4: => login incorrect/login incorrect. Solaris 2.5.1: => Not on system console/Not on system console. Solaris 2.6:1: => Not on system console/Not on system console. Various patches all over the place, so you should be able to get some to suit you. The behaviour seems to be consistently inconsistently consistent. However, the system takes longer to chuck you off if you stick in the wrong passwd. I wonder why? (No, I don't, this is a rhetorical question!). Richard. -- The Open University is not responsible for content herein, which may be incorrect and is used at reader's own risk.
Current thread:
- Re: 1+2=3, +++ATH0=Old school DoS, (continued)
- Re: 1+2=3, +++ATH0=Old school DoS Tudor Bosman (Sep 28)
- Re: 1+2=3, +++ATH0=Old school DoS Daniel Hauck (Sep 27)
- Re: 1+2=3, +++ATH0=Old school DoS Pete Gonzalez (Sep 27)
- Re: 1+2=3, +++ATH0=Old school DoS John M. Flinchbaugh (Sep 28)
- SHADOW group research indicates distributed probes and attacks Patrick Oonk (Sep 28)
- Re: 1+2=3, +++ATH0=Old school DoS Adrian Gonzalez (Sep 28)
- Modem ATH0 thread route () RESENTMENT INFONEXUS COM (Sep 28)
- IRIX 6.2 passwordless accounts exploit? Dan Stromberg (Sep 28)
- Re: IRIX 6.2 passwordless accounts exploit? D.A. Harris (Sep 28)
- Re: IRIX 6.2 passwordless accounts exploit? Eugene Bradley (Sep 28)
- Re: Solaris non-root login (was: IRIX 6.2 pass...) Richard Yates SPG (Sep 29)
- mountd- more info (sorry) John Caldwell (Sep 28)
- Bay Accelar 1000 series Steven Hearon (Sep 28)
- Re: mountd- more info (sorry) RHS Linux User (Sep 29)
- rpc.mountd vulnerabilities tiago (Sep 29)
- Re: rpc.mountd vulnerabilities morex .- (Sep 29)
- Snork exploit route () RESENTMENT INFONEXUS COM (Sep 29)
- Re: rpc.mountd vulnerabilities Alan Brown (Sep 29)
- IRIX Mail(1)/mailx(1) Security Issues SGI Security Coordinator (Sep 29)
- Re: 1+2=3, +++ATH0=Old school DoS John M. Flinchbaugh (Sep 28)
- IRIX On-Line Customer Registration Vulnerabilities SGI Security Coordinator (Sep 29)
- IRIX mail(1)/rmail(1M)/sendmail(1M) Security Vulnerabilities SGI Security Coordinator (Sep 29)