On Thu, Apr 05, 2012 at 01:32:46PM +0200, Bj?rn Ketelaars wrote:
> On Thu, Apr 5, 2012 at 6:51 AM, Otto Moerbeek wrote:
> > That sounds like timing bases attacks to guess a username still will work.
> >
> >-Otto
>
> First thing I thought when reading your reply: absolute nonsense. With
>
On Thu, Apr 5, 2012 at 6:51 AM, Otto Moerbeek wrote:
> That sounds like timing bases attacks to guess a username still will work.
>
>-Otto
First thing I thought when reading your reply: absolute nonsense. With
that mindset I really wanted to disprove your suggestion. For this I
have set-u
On Wed, Apr 04, 2012 at 09:43:35PM +0200, Bj?rn Ketelaars wrote:
> 2012/4/4 Todd C. Miller :
> > Why do we care if the user exists? Ideally, you want the code to
> > behave more or less the same whether the user is real or not.
> > Otherwise, a remote attacker can guess valid usernames by timing
2012/4/4 Todd C. Miller :
> Why do we care if the user exists? Ideally, you want the code to
> behave more or less the same whether the user is real or not.
> Otherwise, a remote attacker can guess valid usernames by timing a
> login attempt.
>
> For safety's sake, it makes sense to reject a usern
Why do we care if the user exists? Ideally, you want the code to
behave more or less the same whether the user is real or not.
Otherwise, a remote attacker can guess valid usernames by timing a
login attempt.
For safety's sake, it makes sense to reject a username with a '/'
in it since the yubike
> Why doesn't login_yubikey just use getpwnam() to check if the
> user exists like the other login_* mechs?
Why make it simple if there are exciting pattern matching options like
regexp or multiple if-statements ;-)
Index: login_yubikey.c
==
On 2012/04/04 15:34, Bjvrn Ketelaars wrote:
> 2012/4/3 Theo de Raadt :
> > Hmm, I'd like to see that refactored somehow.
> >
> > Also, '-' should not be legal at the start of a login name. There
> > are things that care. I think at the end it is OK, though.
> >
> > Crazy eh. Isn't there somethin
pretty confident a regex wont fly :)
On 04/04/2012, at 11:34 PM, Bjvrn Ketelaars wrote:
> 2012/4/3 Theo de Raadt :
>> Hmm, I'd like to see that refactored somehow.
>>
>> Also, '-' should not be legal at the start of a login name. There
>> are things that care. I think at the end it is OK, thoug
2012/4/3 Theo de Raadt :
> Hmm, I'd like to see that refactored somehow.
>
> Also, '-' should not be legal at the start of a login name. There
> are things that care. I think at the end it is OK, though.
>
> Crazy eh. Isn't there something else in libc that checks this?
New diff:
Index: login_
2012/4/1 Theo de Raadt :
> You should really re-do that so that the login name cannot start or
> end with a '.'
Index: login_yubikey.c
===
RCS file: /cvs/src/libexec/login_yubikey/login_yubikey.c,v
retrieving revision 1.4
diff -u -r1.
login_yubikey does not accept user names with a dot (e.g. user.name).
If one is offered login fails. As other authentication types (e.g.
login_passwd) do accept the use of a dot, it seems that this is a
'feature' related to login_yubikey.
A small patch:
ok?
Index: login_yubikey.c
=
11 matches
Mail list logo
