dubious behavior during login

Rafael Caetano dos Santos rcaetano at linux.ime.usp.br
Wed Nov 29 04:50:59 EST 2000


I'm running openssh-2.3.0p1 under Tru64 4.0.
I've got the sources and built it whithout additional options.
The `problem' happens when a login from a non-existing user is attempted:

$ ssh bogus at foo.com
Connection closed by foo.com

It doesn't even ask the password.  So anyone can test whether this
host has a user called bogus.
I'm not sure whether this is a bug, but I guess it's not advisable to
give away such information.

I also run ssh 2.2.0p1 under Debian GNU/Linux, but its behavior 
is different (and correct, I suppose):

$ ssh bogus at foo.com
bogus at foo's password: 
Permission denied, please try again.

Please cc: me, since I'm not subscribed to the list.

Thanks in advance.

    Rafael Caetano <rcaetano at linux.ime.usp.br>

More information about the openssh-unix-dev mailing list