From owner-cvs-all Sat Jan 19 7:37:36 2002 Delivered-To: cvs-all@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id 7108937B443; Sat, 19 Jan 2002 07:37:24 -0800 (PST) Received: (from ache@localhost) by nagual.pp.ru (8.11.6/8.11.6) id g0JFbHL10625; Sat, 19 Jan 2002 18:37:17 +0300 (MSK) (envelope-from ache) Date: Sat, 19 Jan 2002 18:37:17 +0300 From: "Andrey A. Chernov" To: Mark Murray Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/lib/libpam/modules/pam_opie pam_opie.c Message-ID: <20020119153717.GA10562@nagual.pp.ru> References: <20020119110253.GC7683@nagual.pp.ru> <200201191419.g0JEJDt21531@grimreaper.grondar.org> <20020119143740.GC9803@nagual.pp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020119143740.GC9803@nagual.pp.ru> User-Agent: Mutt/1.3.24i Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sat, Jan 19, 2002 at 17:37:40 +0300, Andrey A. Chernov wrote: > > > > An attacker can now tell the difference between a real UID and one which > > does not exist. > > And what next? BTW, there is lots of other methods to tell this, f.e. > sendmail. > I explain more in case this statement is unclear. Yes, for non-OPIE user it is the case to know how real he is, because plaintext password can be cracked, for example, by dictionary attack or just guessed from user biography. But for OPIE user it is impossible, so he cah show yourself sasfely. Since currently non-OPIE and nonexisten users look identically, I see no advantage for intruder in knowing that some user uses OPIE. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message