Nicholas Fleisher
2008-May-22 02:16 UTC
[Secure-testing-team] Bug#482352: libpam-runtime: login for nonexistent user fails without password prompt
Package: libpam-runtime Version: 0.99.7.1-6 Severity: grave Tags: security Justification: user security hole At console login, an invalid username will cause the login procedure to fail *before* it prompts you for a password. (I only discovered this because I accidentally mistyped my username.) This allows someone to discover, without ever logging in, whether a given username exists on the system or not. Seems like an important security issue. The exact same issue cropped up on Arch Linux last fall (Nov 2007), where it was determined to be a libpam problem. I don''t know enough to know which libpam package precisely is involved, but I only have three on my system: libpam-modules, libpam-runtime, libpam0g, all with the same maintainer, so hopefully this is getting to the right person. Relevant Arch bug report: http://bugs.archlinux.org/task/8742 Apologies if I''ve reported this as too severe: it was dealt with as high severity in Arch, and seems like a major issue to this layman. Wish I could tell you more, but as far as I can tell that''s the extent of the problem; everything works just fine if you login with a name that exists on the system. -NF -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (500, ''testing'') Architecture: i386 (i686) Kernel: Linux 2.6.24-1-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- no debconf information