On Thu, Apr 5, 2012 at 6:51 AM, Otto Moerbeek o...@drijf.net wrote:
That sounds like timing bases attacks to guess a username still will work.
-Otto
First thing I thought when reading your reply: absolute nonsense. With
that mindset I really wanted to disprove your suggestion. For this
On Thu, Apr 05, 2012 at 01:32:46PM +0200, Bj?rn Ketelaars wrote:
On Thu, Apr 5, 2012 at 6:51 AM, Otto Moerbeek o...@drijf.net wrote:
That sounds like timing bases attacks to guess a username still will work.
-Otto
First thing I thought when reading your reply: absolute nonsense.
2012/4/3 Theo de Raadt dera...@cvs.openbsd.org:
Hmm, I'd like to see that refactored somehow.
Also, '-' should not be legal at the start of a login name. There
are things that care. I think at the end it is OK, though.
Crazy eh. Isn't there something else in libc that checks this?
New
pretty confident a regex wont fly :)
On 04/04/2012, at 11:34 PM, Bjvrn Ketelaars wrote:
2012/4/3 Theo de Raadt dera...@cvs.openbsd.org:
Hmm, I'd like to see that refactored somehow.
Also, '-' should not be legal at the start of a login name. There
are things that care. I think at the end
On 2012/04/04 15:34, Bjvrn Ketelaars wrote:
2012/4/3 Theo de Raadt dera...@cvs.openbsd.org:
Hmm, I'd like to see that refactored somehow.
Also, '-' should not be legal at the start of a login name. There
are things that care. I think at the end it is OK, though.
Crazy eh. Isn't
Why doesn't login_yubikey just use getpwnam() to check if the
user exists like the other login_* mechs?
Why make it simple if there are exciting pattern matching options like
regexp or multiple if-statements ;-)
Index: login_yubikey.c
Why do we care if the user exists? Ideally, you want the code to
behave more or less the same whether the user is real or not.
Otherwise, a remote attacker can guess valid usernames by timing a
login attempt.
For safety's sake, it makes sense to reject a username with a '/'
in it since the
2012/4/4 Todd C. Miller todd.mil...@courtesan.com:
Why do we care if the user exists? Ideally, you want the code to
behave more or less the same whether the user is real or not.
Otherwise, a remote attacker can guess valid usernames by timing a
login attempt.
For safety's sake, it makes
On Wed, Apr 04, 2012 at 09:43:35PM +0200, Bj?rn Ketelaars wrote:
2012/4/4 Todd C. Miller todd.mil...@courtesan.com:
Why do we care if the user exists? Ideally, you want the code to
behave more or less the same whether the user is real or not.
Otherwise, a remote attacker can guess valid
2012/4/1 Theo de Raadt dera...@cvs.openbsd.org:
You should really re-do that so that the login name cannot start or
end with a '.'
Index: login_yubikey.c
===
RCS file: /cvs/src/libexec/login_yubikey/login_yubikey.c,v
retrieving
10 matches
Mail list logo