Mailinglist Archive: opensuse-security (396 mails)
| < Previous | Next > |
Re: [suse-security] Secure root alias logins
- From: Steffen Dettmer <steffen@xxxxxxx>
- Date: Mon, 27 Jan 2003 22:00:57 +0100
- Message-id: <20030127220057.C3004@xxxxxxxxx>
* Achim Hoffmann wrote on Sat, Jan 25, 2003 at 18:08 +0100:
> On Fri, 24 Jan 2003, Steffen Dettmer wrote:
>
> > * Achim Hoffmann wrote on Thu, Jan 23, 2003 at 23:15 +0100:
> > > Things might get more complicated for attackers if you use for
> > > example LDAP as authentification, there it's not that simple to
> > > get valid usernames.
> >
> > Yes, interesting point. But in practice I still think that there
> > is a name (claim) and a secret (prove), and to get it clear, the
> > secret is secret :)
>
> LDAP can be configured to return inexpressive errors
>
> This way at least the usernme must be known (claimed), guessing is worthless
> or results in a brute force attack.
The same applies for good login / authentication services,
normaly you should not learn if password or already the username
is wrong. KDM is an exception, here you can see usually if a
username exists (since the default session is read before
password entering).
But here you have the claim to be some user, and you have to
prove you identity by proving that you know a secret, the
password.
oki,
Steffen
--
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.
> On Fri, 24 Jan 2003, Steffen Dettmer wrote:
>
> > * Achim Hoffmann wrote on Thu, Jan 23, 2003 at 23:15 +0100:
> > > Things might get more complicated for attackers if you use for
> > > example LDAP as authentification, there it's not that simple to
> > > get valid usernames.
> >
> > Yes, interesting point. But in practice I still think that there
> > is a name (claim) and a secret (prove), and to get it clear, the
> > secret is secret :)
>
> LDAP can be configured to return inexpressive errors
>
> This way at least the usernme must be known (claimed), guessing is worthless
> or results in a brute force attack.
The same applies for good login / authentication services,
normaly you should not learn if password or already the username
is wrong. KDM is an exception, here you can see usually if a
username exists (since the default session is read before
password entering).
But here you have the claim to be some user, and you have to
prove you identity by proving that you know a secret, the
password.
oki,
Steffen
--
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.
| < Previous | Next > |