dubious behavior during login
Rafael Caetano dos Santos
rcaetano at linux.ime.usp.br
Wed Nov 29 04:50:59 EST 2000
Hi,
I'm running openssh-2.3.0p1 under Tru64 4.0.
I've got the sources and built it whithout additional options.
The `problem' happens when a login from a non-existing user is attempted:
$ ssh bogus at foo.com
Connection closed by foo.com
It doesn't even ask the password. So anyone can test whether this
host has a user called bogus.
I'm not sure whether this is a bug, but I guess it's not advisable to
give away such information.
I also run ssh 2.2.0p1 under Debian GNU/Linux, but its behavior
is different (and correct, I suppose):
$ ssh bogus at foo.com
bogus at foo's password:
Permission denied, please try again.
Please cc: me, since I'm not subscribed to the list.
Thanks in advance.
bye
Rafael Caetano <rcaetano at linux.ime.usp.br>
More information about the openssh-unix-dev
mailing list