[ https://issues.apache.org/jira/browse/GUACAMOLE-991?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17066844#comment-17066844 ]
Mathieu CARBONNEAUX commented on GUACAMOLE-991: ----------------------------------------------- in fact: * totp only can be brut forcable, but difficult is they are coupled with fail2ban... * user/pass can be brutforcable, but difficult is they are coupled with fail2ban... * all this one can be distributed brut forcable. * but totp + user/pass coupled are very difficulte to brut forcable (you must do 1000 to 1000000 authentification request in 30s to have chance to found the couple user+pass+token)... they make very difficult to do brut force event if is distributed... * and coupled with fail2ban... is too difficulte to brut force... even if distributed... > Pass and User Check before OTP Check make possible brute force... > ----------------------------------------------------------------- > > Key: GUACAMOLE-991 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-991 > Project: Guacamole > Issue Type: Improvement > Components: guacamole-auth-totp > Reporter: Mathieu CARBONNEAUX > Priority: Trivial > > Hi, > > Guacamole with otp module work like a charm... > but the user and password are checked before redirect to the otp page... > this make possible user/pass brut force, because the attacker can know if the > user + password is valid.... > ok they need the token to achive the complete connection... but they know the > password... > > why not redirect systematicly to the otp form, and check user + pass after > otp form post (do the token validation only if user/pass are ok) ? or to use > 3 fields form ? > in that way the attaker canot know if the password is ok or if the token is > bad... -- This message was sent by Atlassian Jira (v8.3.4#803005)