Date: Sat, 19 Jan 2002 16:48:10 +0300 From: "Andrey A. Chernov" <ache@nagual.pp.ru> To: Kris Kennaway <kris@obsecurity.org> Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/lib/libpam/modules/pam_opie pam_opie.c Message-ID: <20020119134810.GB9275@nagual.pp.ru> In-Reply-To: <20020119053506.A77530@xor.obsecurity.org> References: <200201191009.g0JA95b91076@freefall.freebsd.org> <20020119042808.A67985@xor.obsecurity.org> <20020119123903.GA8776@nagual.pp.ru> <20020119124322.GB8776@nagual.pp.ru> <20020119053506.A77530@xor.obsecurity.org>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On Sat, Jan 19, 2002 at 05:35:07 -0800, Kris Kennaway wrote: > > 1) This particular change is debatable; there are certainly other > possible ways to fix the information leak about nonexistent user > names. For example, regenerate a random seed once a week so the fake > challenges only change slowly over time, as they would if the user was > real. Anyway, my main point was: Well, if proper method will be ever found (which is not possible without lots of unneded fake users emulation code), it can be considered for commiting. What we have JUST RECENTLY in not acceptable in ANY CASE. It gains NOTHING. It needs to be removed or re-implemented completely. Since nobody comes with re-implementation, it is removed because cause problems. Now back to unreal method you suggest. Just think about keeping internal state for every possible 16-letters (user name) combination and regenerating it once a week. > > 2) If you don't fully understand the PAM code, as you admitted in an > earlier email, then it's surely very easy to introduce inadvertent > security vulnerabilities, and you should be a responsible enough > programmer to solicit review without me having to tell you to. This is not PAM code area, many non-PAM OPIE applications, f.e. from ports, already do that way, i.e. not print out fake responses generated. Since weh have PAM defined by default, this is OPIE area. -- Andrey A. Chernov http://ache.pp.ru/ [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia iQCVAwUBPEl5GeJgpPLZnQjrAQHGLQP/VGIHWu74Qx74K6oyx9P07tStdJvmT+TQ Y4JMYur+1Y7zPp1WlbZGHXSAyX93z4YBD8r3BNHFfG/2TMT+u8py/iFktjC8uZ+x hAM5zpr4yxQ6lOEByXSKd4Rq+BOVp0rZ+8Bv0qcfGQOwmtA3iwXwt0iUHgx++Zuv jf4jzdzTvA0= =WgXe -----END PGP SIGNATURE-----help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020119134810.GB9275>