Hello, On Thu, Sep 20, 2007 at 05:29:00PM +0200, [EMAIL PROTECTED] wrote: > > when logging in with an unknown user name, > the login is immediately rejected with 'Login incorrect'.
That may have change between Sarge and Etch, when the login strategy changed to use PAM. > I suppose this is bad for security as it allows to > more easily guess valid user names. I don't think there are any security issue here. Your security should not rely on usernames. There are usually a lot of ways to find user names (starting by common names like "root", using naming policies, looking at mail header, etc.) If anything like this had to be implemented, a simple sleep in login would not be sufficient. It would be better to implement a PAM module which could enforce a login burst restriction policy for all the services of a server. (i.e. otherwise, you could still switch from a console to the other) I'm still not closing this bug, and would prefer to have co-maintainers opinion. -- Nekral -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
