On Sunday 29 February 2004 22:59, Steve Ward wrote:
I noticed that the graphical login screen now displays the last
successful login for the username entered _before_ the password is entered.
This is a security issue because it tells a potential cracker that they
have found a valid login.
I agree with your concerns and almost submitted a bugzilla report to at least
document the concern.
The problem is that this new "feature" is both a security plus and a security
minus. It is part of gdm and can be configured off in /etc/X11/gdm/gdm.conf
for those who do not want it.
From the plus side, if a user notices that the last login date/time
does not
match what they remember, they can report it or take other appropriate
actions.
From the minus side, it provides an attacker with the information that
a valid
userid has been entered before the user has been actually authenticated
(before a valid password has been entered). Thus, they can now "just" attack
the password rather than the combination of userid and password (they have a
smaller search space).
This new feature has been implemented in gdm. Ideally, it should not be
implemented in gdm but instead be in the startup process as a popup (or
whatever). Thus, only authenticated users would see the Last Login popup.
Comments?
--
Gene