Date: Sat, 15 Feb 2014 16:00:12 -0500 From: Alan DeKok <aland@freeradius.org> To: Florian Weimer <fw@deneb.enyo.de> Cc: Pierre Carrier <pierre.carrier@airbnb.com>, secalert <secalert@redhat.com>, pkgsrc-security <pkgsrc-security@netbsd.org>, security@ubuntu.com, security@freeradius.org, pupykin.s+arch@gmail.com, security@debian.org, bugbusters <bugbusters@freebsd.org>, product.security@airbnb.com Subject: Re: freeradius denial of service in authentication flow Message-ID: <52FFD55C.5030408@freeradius.org> In-Reply-To: <87sirkm8uo.fsf@mid.deneb.enyo.de> References: <CAM7LUF55w4g7=GqhfFyys0fhJNKQtX-Pp804YWRW57GxbO9WDw@mail.gmail.com> <52FC1916.4060501@freeradius.org> <87sirkm8uo.fsf@mid.deneb.enyo.de>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Florian Weimer wrote: > * Alan DeKok: > >> That's an issue, but a rare one IMHO. The user has to exist on the >> system. So this isn't a remote DoS. > > Could you elaborate on this assessment? Is this because typical data > sources for SSHA passwords limit the length of the salt and thus the > length of the SSHA hash? Partly. The typical use-case for a remote DoS is for an unauthenticated user to take down the system. Here, the user has to be known, *and* be able to create a long SSHA password. To me, this puts the issue into the category of "known users can do bad things", which is very different from "unknown users can do bad things". Alan DeKok. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQCVAwUBUv/VXKkul4vkAkl9AQLdvwQAgx4bd5aJOUA5l8sno2RwhzrLpXxDhLi0 ctaOcAcSmYdPabe5PMcb09lc9EbOGsuTr+lHOuNqWvE+63pFuw/7qom9IpdNtmkz JMY1qSrCWbq7X/IE6M3MU90u3h/3IgO7rLCDXKipUL9CXf/Og/fH04DdNq6B2V8p fRuJjdVRbLU= =HrY0 -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?52FFD55C.5030408>