From owner-freebsd-bugbusters@FreeBSD.ORG  Sat Feb 15 20:46:41 2014
Return-Path: <owner-freebsd-bugbusters@FreeBSD.ORG>
Delivered-To: bugbusters@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id E741689E
 for <bugbusters@freebsd.org>; Sat, 15 Feb 2014 20:46:41 +0000 (UTC)
Received: from ka.mail.enyo.de (ka.mail.enyo.de [87.106.162.201])
 (using TLSv1 with cipher AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id A173B180C
 for <bugbusters@freebsd.org>; Sat, 15 Feb 2014 20:46:41 +0000 (UTC)
Received: from [172.17.135.4] (helo=deneb.enyo.de)
 by ka.mail.enyo.de with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 id 1WEldH-0008L6-Ht; Sat, 15 Feb 2014 21:14:39 +0100
Received: from fw by deneb.enyo.de with local (Exim 4.80)
 (envelope-from <fw@deneb.enyo.de>)
 id 1WEldH-0000FD-Cy; Sat, 15 Feb 2014 21:14:39 +0100
From: Florian Weimer <fw@deneb.enyo.de>
To: Alan DeKok <aland@freeradius.org>
Subject: Re: freeradius denial of service in authentication flow
References: <CAM7LUF55w4g7=GqhfFyys0fhJNKQtX-Pp804YWRW57GxbO9WDw@mail.gmail.com>
 <52FC1916.4060501@freeradius.org>
Date: Sat, 15 Feb 2014 21:14:39 +0100
In-Reply-To: <52FC1916.4060501@freeradius.org> (Alan DeKok's message of "Wed, 
 12 Feb 2014 20:00:06 -0500")
Message-ID: <87sirkm8uo.fsf@mid.deneb.enyo.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailman-Approved-At: Sat, 15 Feb 2014 21:01:21 +0000
Cc: Pierre Carrier <pierre.carrier@airbnb.com>, secalert <secalert@redhat.com>,
 pkgsrc-security <pkgsrc-security@netbsd.org>, security@ubuntu.com,
 security@freeradius.org, pupykin.s+arch@gmail.com, security@debian.org,
 bugbusters <bugbusters@freebsd.org>, product.security@airbnb.com
X-BeenThere: freebsd-bugbusters@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Coordination of the Problem Report handling effort."
 <freebsd-bugbusters.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-bugbusters>, 
 <mailto:freebsd-bugbusters-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugbusters/>
List-Post: <mailto:freebsd-bugbusters@freebsd.org>
List-Help: <mailto:freebsd-bugbusters-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugbusters>, 
 <mailto:freebsd-bugbusters-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Feb 2014 20:46:42 -0000

* Alan DeKok:

>   That's an issue, but a rare one IMHO.  The user has to exist on the
> system.  So this isn't a remote DoS.

Could you elaborate on this assessment?  Is this because typical data
sources for SSHA passwords limit the length of the salt and thus the
length of the SSHA hash?

Florian
(Debian security team)