busybox's getty takes supplies typed username as arg to busibox's login process, which itself asks for username again in case of auth failure, for 3 times! Then if username typed first was erroneus it is kept for the session time root 2170 0.0 0.0 1528 4 tty1 Ss 16:04 0:00 /bin/login -- adsfasdfasdf Once I've accidentally typed password instead of login on console getty prompt it exposes my whole password to local users for entire session period! It is bad for security! Should we remove username prompt from login.c, or make it check if username supplied by getty was non-existent?
loginutils/login.c:522: ... auth_failed: opt &= ~LOGIN_OPT_f; bb_do_delay(LOGIN_FAIL_DELAY); /* TODO: doesn't sound like correct English phrase to me */ puts("Login incorrect"); if (++count == 3) { syslog(LOG_WARNING, "invalid password for '%s'%s", username, fromhost); if (ENABLE_FEATURE_CLEAN_UP) free(fromhost); return EXIT_FAILURE; } username[0] = '\0'; } /* while (1) */ ... I guess, where is no sense in "if (++count == 3) { " on string 527. It saves no resource and used extrimely rare, afaik.