[Pkg-shadow-devel] Bug#531341: Bug#531341: prints "login incorrect" without asking for password when entering an invalid login
Christian Perrier
bubulle at debian.org
Mon Jun 1 07:19:15 UTC 2009
Quoting Dmitri Gribenko (gribozavr at gmail.com):
> On Mon, Jun 1, 2009 at 9:14 AM, Christian Perrier <bubulle at debian.org> wrote:
> > login uses PAM for this and defaults settings are correct wrt brute
> > force attackes, with a 3 seconds delay before answering "Login incorrect".
>
> The delay is there and works as expected. The problem is that an
> attacker can distinguish between a valid and an invalid login (in the
> latter case password is not asked -- this is the problem). Thus, he
> can first brute force for a login, then for a password. If he
> couldn't, he would now know which logins are valid on the system.
(please answer to the bug report so that the whole thread remains
archived there)
Well, IIRC, this has been debated many times already, in both the
Debian package development history and during the upstream development
(the Debian maintainer, Nicolas François, is now upstream for shadow).
Again, I don't really see how one could *really* brute force logins
when PAM sets a 3 seconds delay for its answer....but let's see what
light can be pu tby Nicolas on this: his emory of these discussions is
maybe better than mine.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20090601/0366aab0/attachment.pgp>
More information about the Pkg-shadow-devel
mailing list