[Bug 799988] New: No Incorrect Password Re-Entry Delay at Konsole (Terminal)
https://bugzilla.novell.com/show_bug.cgi?id=799988 https://bugzilla.novell.com/show_bug.cgi?id=799988#c0 Summary: No Incorrect Password Re-Entry Delay at Konsole (Terminal) Classification: openSUSE Product: openSUSE 12.2 Version: Final Platform: Macintosh OS/Version: openSUSE 12.2 Status: NEW Severity: Major Priority: P5 - None Component: KDE4 Applications AssignedTo: kde-maintainers@suse.de ReportedBy: jane.d.anonymous@gmail.com QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0 When an incorrect password is entered at the command line, "Sorry, try again" is displayed immediately, up to a maximum of three consecutive times. This is an easy-to-solve security issue. Reproducible: Always Steps to Reproduce: 1. Open a terminal. 2. Run any command as super user, e.g. "sudo man zypper" 3. Enter an incorrect password for sudo Actual Results: "Sorry, try again" appears immediately, up to a maximum of three times, whence the cycle can be immediately started again. Expected Results: There should be a delay in the error message appearing. Lacking this delay makes brute-force hacking of a system infinitely easier, as millions of incorrect passwords could be tried every minute, rather than the scant few that could be tried with a simple delay. Implementing this delay is common in *nix systems, and should be implemented here. I hesitate to file this as an "Enhancement" bug, as it's really crucial that this kind of straightforward security hole be patched. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=799988 https://bugzilla.novell.com/show_bug.cgi?id=799988#c1 Stephan Kulow <coolo@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Component|KDE4 Applications |Security AssignedTo|kde-maintainers@suse.de |security-team@suse.de Severity|Major |Enhancement --- Comment #1 from Stephan Kulow <coolo@suse.com> 2013-01-23 09:33:47 CET --- This is for sure not a KDE problem, that much is certain as you can call sudo from everywhere. But it's not a sudo problem either, because if sudo had a delay, the attacker would just have to call 10 sudos in parallel - or 20 or 30, depending on how large you would want to define the delay. Preventing local users from querying the password of other users needs to be tracked somewhere globally, but this is not a "easy-to-solve" issue -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=799988 https://bugzilla.novell.com/show_bug.cgi?id=799988#c2 --- Comment #2 from Julia A <julia.mailings@gmx.com> 2013-01-24 01:07:44 UTC --- You're quite right; I hadn't meant to be flippant --- sorry about that. Thank you for your timely response. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=799988 https://bugzilla.novell.com/show_bug.cgi?id=799988#c3 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |meissner@suse.com Resolution| |WONTFIX --- Comment #3 from Marcus Meissner <meissner@suse.com> 2013-04-18 13:55:28 UTC --- you can hook in "pam_tally2" (see man pam_tally2) that locks accounts after some tries in general password cracking these days in this way is hard due to the hashing+round delays that are in use, so not a real serious issue in our eyes. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com