3 Jan
2006
3 Jan
'06
5:21 p.m.
On Tue, 2006-01-03 at 11:26 -0500, Michael H. Warfield wrote:
It's considered axiomatic that security systems should NEVER disclose that level of information, even to the point of not giving a different error (message or code) for invalid password vs invalid account. Even timing (responding too quickly if the account doesn't exist compared to wrong password) is considered a SERIOUS no-no. I would have to consider that sshdfilter a security vulnerability, not a security tool.
Fully agree.
Differences in the system's behavior, based on usernames, visible from outside, are a security issue.
--
Florin Andrei
http://florin.myip.org/