From owner-freebsd-bugbusters@FreeBSD.ORG Sat Feb 15 20:46:41 2014 Return-Path: Delivered-To: bugbusters@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E741689E for ; Sat, 15 Feb 2014 20:46:41 +0000 (UTC) Received: from ka.mail.enyo.de (ka.mail.enyo.de [87.106.162.201]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id A173B180C for ; Sat, 15 Feb 2014 20:46:41 +0000 (UTC) Received: from [172.17.135.4] (helo=deneb.enyo.de) by ka.mail.enyo.de with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) id 1WEldH-0008L6-Ht; Sat, 15 Feb 2014 21:14:39 +0100 Received: from fw by deneb.enyo.de with local (Exim 4.80) (envelope-from ) id 1WEldH-0000FD-Cy; Sat, 15 Feb 2014 21:14:39 +0100 From: Florian Weimer To: Alan DeKok Subject: Re: freeradius denial of service in authentication flow References: <52FC1916.4060501@freeradius.org> Date: Sat, 15 Feb 2014 21:14:39 +0100 In-Reply-To: <52FC1916.4060501@freeradius.org> (Alan DeKok's message of "Wed, 12 Feb 2014 20:00:06 -0500") Message-ID: <87sirkm8uo.fsf@mid.deneb.enyo.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailman-Approved-At: Sat, 15 Feb 2014 21:01:21 +0000 Cc: Pierre Carrier , secalert , pkgsrc-security , security@ubuntu.com, security@freeradius.org, pupykin.s+arch@gmail.com, security@debian.org, bugbusters , product.security@airbnb.com X-BeenThere: freebsd-bugbusters@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Coordination of the Problem Report handling effort." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Feb 2014 20:46:42 -0000 * Alan DeKok: > That's an issue, but a rare one IMHO. The user has to exist on the > system. So this isn't a remote DoS. Could you elaborate on this assessment? Is this because typical data sources for SSHA passwords limit the length of the salt and thus the length of the SSHA hash? Florian (Debian security team)