Re: IRIX 6.2 passwordless accounts exploit?

[khawkins () NCSA UIUC EDU (Kevin Hawkins)]

HP-UX exhibits the same behavior.  Actually, when I questioned this
behavior on comp.sys.hp.hpux a while back (look for the subject
"Better remote access denial than securetty?" through DejaNews if
you're interested), the only response I got took the approach that
it was more of a feature than a bug.  But I didn't think the arguments
given were a strong enough case against just dropping root login
attempts that weren't at the console.

So maybe the vendors don't see it as a bug?  I certainly do.

                Kevin


At 04:14 PM 9/28/98 -0700, D.A. Harris wrote:
> Actually, something that I think is a bug in IRIX, something that hasn't been
> fixed in 6.5, is the behavior of login when you specify that root can
> only login into /dev/console (this can be set in /etc/default/login).
> Instead of immediately denying someone access when they try to telnet
> or rlogin as root to a box, it lets you still attempt the password, and
> only denies you access when you get the password correct.  So a hacker would
> know that they have the right root password, so all he has to do is hack
> a user account, probably not too difficult.  What login should do is once
> root gets entered at the login prompt, it should give an error and
disconnect,
> that why no potential hint to the root password would be given.
>
>
> --
> Dale Harris       <rodmur () csuchico edu>     PGP KeyID: E26EC5FD
> System Administrator                           ph.  (530) 898-4421
> Computer Graphics, Instructional Media Center  fax. (530) 898-5369
> California State University, Chico, California 95929-0005
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--
Kevin Hawkins - NCSA Security
email: khawkins () ncsa uiuc edu
PGP: http://www.ncsa.uiuc.edu/People/khawkins/pgp.html