[
https://issues.apache.org/jira/browse/GUACAMOLE-991?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17066844#comment-17066844
]
Mathieu CARBONNEAUX commented on GUACAMOLE-991:
-----------------------------------------------
in fact:
* totp only can be brut forcable, but difficult is they are coupled with
fail2ban...
* user/pass can be brutforcable, but difficult is they are coupled with
fail2ban...
* all this one can be distributed brut forcable.
* but totp + user/pass coupled are very difficulte to brut forcable (you must
do 1000 to 1000000 authentification request in 30s to have chance to found the
couple user+pass+token)... they make very difficult to do brut force event if
is distributed...
* and coupled with fail2ban... is too difficulte to brut force... even if
distributed...
> Pass and User Check before OTP Check make possible brute force...
> -----------------------------------------------------------------
>
> Key: GUACAMOLE-991
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-991
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole-auth-totp
> Reporter: Mathieu CARBONNEAUX
> Priority: Trivial
>
> Hi,
>
> Guacamole with otp module work like a charm...
> but the user and password are checked before redirect to the otp page...
> this make possible user/pass brut force, because the attacker can know if the
> user + password is valid....
> ok they need the token to achive the complete connection... but they know the
> password...
>
> why not redirect systematicly to the otp form, and check user + pass after
> otp form post (do the token validation only if user/pass are ok) ? or to use
> 3 fields form ?
> in that way the attaker canot know if the password is ok or if the token is
> bad...
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
