Date: Sat, 19 Jan 2002 18:37:17 +0300 From: "Andrey A. Chernov" <ache@nagual.pp.ru> To: Mark Murray <mark@grondar.za> Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/lib/libpam/modules/pam_opie pam_opie.c Message-ID: <20020119153717.GA10562@nagual.pp.ru> In-Reply-To: <20020119143740.GC9803@nagual.pp.ru> References: <20020119110253.GC7683@nagual.pp.ru> <200201191419.g0JEJDt21531@grimreaper.grondar.org> <20020119143740.GC9803@nagual.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jan 19, 2002 at 17:37:40 +0300, Andrey A. Chernov wrote: > > > > An attacker can now tell the difference between a real UID and one which > > does not exist. > > And what next? BTW, there is lots of other methods to tell this, f.e. > sendmail. > I explain more in case this statement is unclear. Yes, for non-OPIE user it is the case to know how real he is, because plaintext password can be cracked, for example, by dictionary attack or just guessed from user biography. But for OPIE user it is impossible, so he cah show yourself sasfely. Since currently non-OPIE and nonexisten users look identically, I see no advantage for intruder in knowing that some user uses OPIE. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020119153717.GA10562>