Bug 69597 – GDM can be used to determine valid usernames (even without the face browser)

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 69597 - GDM can be used to determine valid usernames (even without the face browser)


Summary:	GDM can be used to determine valid usernames (even without the face browser)


Status:	RESOLVED FIXED

Product:	gdm
Classification:	Core
Component:	general
Version:	2.2.5.4
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	GDM maintainers
QA Contact:	Trevor Curtis

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2002-01-24 21:26 UTC by Joel Becker
Modified:	2002-07-11 22:35 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Joel Becker 2002-01-24 21:26:33 UTC

An administrator can turn off the face browser to prevent folks from
knowing valid usernames.  However, as with the ESMTP VRFY command, GDM will
respond differently to valid and invalid usernames.  If a valid username is
entered with an incorrect or missing password, a message of the form "You
have entered an invalid username or password" is displayed in the GDM
window.  If an invalid username is entered, no matter the password, a
dialog pops up with the message "Authentication failed."  In this manner,
it is obvious when you have hit upon a valid usename (and the message "You
have entered an invalid username or password" might as well read "You have
entered an invalid password").

Comment 1 Pawel Salek 2002-06-12 07:33:22 UTC

*** Bug 84968 has been marked as a duplicate of this bug. ***

Comment 2 George Lebl 2002-07-11 22:35:34 UTC

This has been fixed in the 2.2.5.5 version