From owner-freebsd-bugbusters@FreeBSD.ORG Sat Feb 15 21:00:49 2014 Return-Path: Delivered-To: bugbusters@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B18EFA54 for ; Sat, 15 Feb 2014 21:00:49 +0000 (UTC) Received: from power.freeradius.org (power.freeradius.org [88.190.25.44]) by mx1.freebsd.org (Postfix) with ESMTP id 6FE9018D3 for ; Sat, 15 Feb 2014 21:00:48 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by power.freeradius.org (Postfix) with ESMTP id C36E0224033D; Sat, 15 Feb 2014 22:00:10 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at power.freeradius.org Received: from power.freeradius.org ([127.0.0.1]) by localhost (power.freeradius.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JIyE5L9CDEdi; Sat, 15 Feb 2014 22:00:10 +0100 (CET) Received: from Thor.local (unknown [70.50.217.206]) by power.freeradius.org (Postfix) with ESMTPSA id 0ACC9224017A; Sat, 15 Feb 2014 22:00:08 +0100 (CET) Message-ID: <52FFD55C.5030408@freeradius.org> Date: Sat, 15 Feb 2014 16:00:12 -0500 From: Alan DeKok User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228) MIME-Version: 1.0 To: Florian Weimer Subject: Re: freeradius denial of service in authentication flow References: <52FC1916.4060501@freeradius.org> <87sirkm8uo.fsf@mid.deneb.enyo.de> In-Reply-To: <87sirkm8uo.fsf@mid.deneb.enyo.de> X-Enigmail-Version: 0.96.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Sun, 16 Feb 2014 01:24:36 +0000 Cc: Pierre Carrier , secalert , pkgsrc-security , security@ubuntu.com, security@freeradius.org, pupykin.s+arch@gmail.com, security@debian.org, bugbusters , product.security@airbnb.com X-BeenThere: freebsd-bugbusters@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Coordination of the Problem Report handling effort." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Feb 2014 21:00:49 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Florian Weimer wrote: > * Alan DeKok: > >> That's an issue, but a rare one IMHO. The user has to exist on the >> system. So this isn't a remote DoS. > > Could you elaborate on this assessment? Is this because typical data > sources for SSHA passwords limit the length of the salt and thus the > length of the SSHA hash? Partly. The typical use-case for a remote DoS is for an unauthenticated user to take down the system. Here, the user has to be known, *and* be able to create a long SSHA password. To me, this puts the issue into the category of "known users can do bad things", which is very different from "unknown users can do bad things". Alan DeKok. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQCVAwUBUv/VXKkul4vkAkl9AQLdvwQAgx4bd5aJOUA5l8sno2RwhzrLpXxDhLi0 ctaOcAcSmYdPabe5PMcb09lc9EbOGsuTr+lHOuNqWvE+63pFuw/7qom9IpdNtmkz JMY1qSrCWbq7X/IE6M3MU90u3h/3IgO7rLCDXKipUL9CXf/Og/fH04DdNq6B2V8p fRuJjdVRbLU= =HrY0 -----END PGP SIGNATURE-----