[Bug 672328] Re: vsftpd: discloses whether usernames are valid or not

[Mark Hobley]

The bug only occurs when the user whitelisting facility is being used (ie 
userlist_enable=YES)

http://securitytracker.com/id?1008628

A workaround is to disable the uselist facility and then use PAM to deny
services.

I think this is a kludge. It should be possible to deny by default,
unless access is granted.

Unfortunately, if user whitelisting is enabled, vsftpd skips asking for
the password, regardless of the PAM setting.

We either need a fix to vsftpd to cause a prompt for password, or a
facility to reverse the bug, so it occurs when whitelisting is not used,
but does not occur when whitelisting is used. It does not make sense to
skip prompting for a password for whitelisted users.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to vsftpd in ubuntu.
https://bugs.launchpad.net/bugs/672328

Title:
  vsftpd: discloses whether usernames are valid or not