From owner-cvs-all Sat Jan 19 5:35:24 2002 Delivered-To: cvs-all@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-131.dsl.lsan03.pacbell.net [63.207.60.131]) by hub.freebsd.org (Postfix) with ESMTP id EAC5637B404; Sat, 19 Jan 2002 05:35:07 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 3CAB366B74; Sat, 19 Jan 2002 05:35:07 -0800 (PST) Date: Sat, 19 Jan 2002 05:35:07 -0800 From: Kris Kennaway To: "Andrey A. Chernov" Cc: Kris Kennaway , cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/lib/libpam/modules/pam_opie pam_opie.c Message-ID: <20020119053506.A77530@xor.obsecurity.org> References: <200201191009.g0JA95b91076@freefall.freebsd.org> <20020119042808.A67985@xor.obsecurity.org> <20020119123903.GA8776@nagual.pp.ru> <20020119124322.GB8776@nagual.pp.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="lrZ03NoBR/3+SXJZ" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020119124322.GB8776@nagual.pp.ru>; from ache@nagual.pp.ru on Sat, Jan 19, 2002 at 03:43:22PM +0300 Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --lrZ03NoBR/3+SXJZ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jan 19, 2002 at 03:43:22PM +0300, Andrey A. Chernov wrote: > > > Wait a minute..was this discussed anywhere? > >=20 > > We already live with this "change" several years when S/Key was here and > > nobody complaints. This is not a change, this is return to old way as it > > must be. > >=20 > > This change have nothing common to security, just eliminate obscurity. There were two points I made in my email: 1) This particular change is debatable; there are certainly other possible ways to fix the information leak about nonexistent user names. For example, regenerate a random seed once a week so the fake challenges only change slowly over time, as they would if the user was real. Anyway, my main point was: 2) If you don't fully understand the PAM code, as you admitted in an earlier email, then it's surely very easy to introduce inadvertent security vulnerabilities, and you should be a responsible enough programmer to solicit review without me having to tell you to. All PAM commits should be reviewed by a PAM-knowledgeable committer; this shouldn't be open to debate since it's pure common sense. In case the point needs further reinforcing, I can't think of a single security vulnerability in recent history which was introduced into FreeBSD by a committer who had the change reviewed; they've all been made by people who committed the code on their own without a review. Kris --lrZ03NoBR/3+SXJZ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8SXYKWry0BWjoQKURAkgFAJ4li1UUA0jprRdNI+viBVEEa8GXBACg6+hr CMFrz0FPtCpmDGDETCie9Ck= =LnEQ -----END PGP SIGNATURE----- --lrZ03NoBR/3+SXJZ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message