Does this potentially reduced the difficulty to guess username out?

Hi @laixintao, thanks for your comment, In my opinion I don’t think so, since it only indicates the user doesn’t exist, while did not give any clue about the user name pattern. In the old way for the above three scenario, it only indicates wrong username password pair, which doesn’t give end user any clue why cannot authenticate with this user, that’s the purpose of this PR

That's not technically true, it allows you to brute force what the usernames are. Although I agree they are less secretive than the passwords, I don't think we should be giving detailed error messages. Unless someone else finds a compelling reason for this, I don't think this should be accepted.

i agree this is undesirable.
any user system i know of, is responding with a generic "unknown user or wrong password".

@hwware i'm closing this one, but please keep up the good work.

Hi @madolson @oranagra ,thank you very much for the comments and suggestions :) But for disabled user case, should we show this message separately? I remember before I saw other software shows user disabled separately from wrong username and password.

@hwware do you remember which software was it?
@yossigo what do you think? should an AUTH attempt for a disabled user show different error message or generic one (one that returns for unknown username or password)?

Common sense says don't provide additional information, i.e. if the user does not exist, is disabled, or just wrong password. This can be logged though.

Hi @oranagra , I forgot which exactly I saw before, but I think there is not only one cases, such as: https://openvpn.net/vpn-server-resources/troubleshooting-authentication-related-problems/. I think what @yossigo suggested also make sense, but if we change the error message accordingly to "user/pass combination is not correct, or user is suspended"make this better,how do you think? @oranagra @yossigo