On Thu, 28 Jul 2005, Chip Seraphine wrote:
> Eric Sorenson wrote:
> > Mark has said before that this behavior is intentional, to avoid giving
> > specific error information to an attacker.
>
> Just curious-- if authentication has been established, why are we withholding
> useful error messages from the client?
Here's the message I was remembering:
http://lists.gnu.org/archive/html/help-cfengine/2005-04/msg00118.html
Cfservd never tells you specifically why something failed.
It's a "feature". But there should probably be an option to provide
specific messages to trusted hosts or something...
More things for the future.
M
IIRC there's a generic path back up the stack from a failed stat and
it throws the "Host auth failed" message along the way.
(Personally I agree with you: IMO the risk of an attacker gleaning
something from a cfengine error message is massively overbalanced by
the confusion that this causes for legitimate users.)
--
- Eric Sorenson - N37 17.255 W121 55.738 - http://eric.explosive.net -
- Personal colo with a professional touch - http://www.explosive.net -
_______________________________________________
Bug-cfengine mailing list
Bug-cfengine@gnu.org
http://lists.gnu.org/mailman/listinfo/bug-cfengine
