Date: Mon, 31 May 1999 02:59:19 +0000 (GMT) From: jgarman@sso.sytexinc.com To: FreeBSD-gnats-submit@freebsd.org Subject: ports/11952: poppassd security enhancements Message-ID: <19990531025919.C84255EF01@mail.sso.sytexinc.com>
next in thread | raw e-mail | index | archive | help
>Number: 11952
>Category: ports
>Synopsis: poppassd security enhancements
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-ports
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Sun May 30 20:00:01 PDT 1999
>Closed-Date:
>Last-Modified:
>Originator: Jason Garman
>Release: FreeBSD 3.2-RELEASE i386
>Organization:
individual
>Environment:
not relevant; any machine with the poppassd port installed
>Description:
poppassd by default allows an attacker to brute force guess
account names and passwords
>How-To-Repeat:
none.
>Fix:
The following patch adds a delay when an incorrect password is
entered for an account, and also changes the response for an unknown
username from "user unknown" to "password incorrect" in order to keep
people from finding out what user accounts exist by querying the
server ad infinitum.
--- poppassd.before.jason.c Thu May 27 11:45:42 1999
+++ poppassd.c Thu May 27 11:50:18 1999
@@ -211,13 +211,16 @@
if ((pw = getpwnam (user)) == NULL)
{
- WriteToClient ("500 Unknown user, %s.", user);
- exit(1);
+ syslog(LOG_ERR, "Unknown user %s tried to use service", user);
+ sleep (5);
+ WriteToClient ("500 Old password is incorrect.");
+ exit(1);
}
if (chkPass (user, oldpass, pw) == FAILURE)
{
syslog(LOG_ERR, "Incorrect password from %s", user);
+ sleep (5);
WriteToClient ("500 Old password is incorrect.");
exit(1);
}
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990531025919.C84255EF01>