The bug only occurs when the user whitelisting facility is being used (ie userlist_enable=YES)
http://securitytracker.com/id?1008628 A workaround is to disable the uselist facility and then use PAM to deny services. I think this is a kludge. It should be possible to deny by default, unless access is granted. Unfortunately, if user whitelisting is enabled, vsftpd skips asking for the password, regardless of the PAM setting. We either need a fix to vsftpd to cause a prompt for password, or a facility to reverse the bug, so it occurs when whitelisting is not used, but does not occur when whitelisting is used. It does not make sense to skip prompting for a password for whitelisted users. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to vsftpd in ubuntu. https://bugs.launchpad.net/bugs/672328 Title: vsftpd: discloses whether usernames are valid or not -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
