Date: Sat, 19 Jan 2002 16:48:10 +0300 From: "Andrey A. Chernov" <ache@nagual.pp.ru> To: Kris Kennaway <kris@obsecurity.org> Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/lib/libpam/modules/pam_opie pam_opie.c Message-ID: <20020119134810.GB9275@nagual.pp.ru> In-Reply-To: <20020119053506.A77530@xor.obsecurity.org> References: <200201191009.g0JA95b91076@freefall.freebsd.org> <20020119042808.A67985@xor.obsecurity.org> <20020119123903.GA8776@nagual.pp.ru> <20020119124322.GB8776@nagual.pp.ru> <20020119053506.A77530@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--YiEDa0DAkWCtVeE4 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jan 19, 2002 at 05:35:07 -0800, Kris Kennaway wrote: >=20 > 1) This particular change is debatable; there are certainly other > possible ways to fix the information leak about nonexistent user > names. For example, regenerate a random seed once a week so the fake > challenges only change slowly over time, as they would if the user was > real. Anyway, my main point was: Well, if proper method will be ever found (which is not possible without lots of unneded fake users emulation code), it can be considered for=20 commiting. What we have JUST RECENTLY in not acceptable in ANY CASE. It=20 gains NOTHING. It needs to be removed or re-implemented completely. Since= =20 nobody comes with re-implementation, it is removed because cause problems. Now back to unreal method you suggest. Just think about keeping=20 internal state for every possible 16-letters (user name) combination and=20 regenerating it once a week. >=20 > 2) If you don't fully understand the PAM code, as you admitted in an > earlier email, then it's surely very easy to introduce inadvertent > security vulnerabilities, and you should be a responsible enough > programmer to solicit review without me having to tell you to. This is not PAM code area, many non-PAM OPIE applications, f.e. from=20 ports, already do that way, i.e. not print out fake responses generated. Since weh have PAM defined by default, this is OPIE area. --=20 Andrey A. Chernov http://ache.pp.ru/ --YiEDa0DAkWCtVeE4 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia iQCVAwUBPEl5GeJgpPLZnQjrAQHGLQP/VGIHWu74Qx74K6oyx9P07tStdJvmT+TQ Y4JMYur+1Y7zPp1WlbZGHXSAyX93z4YBD8r3BNHFfG/2TMT+u8py/iFktjC8uZ+x hAM5zpr4yxQ6lOEByXSKd4Rq+BOVp0rZ+8Bv0qcfGQOwmtA3iwXwt0iUHgx++Zuv jf4jzdzTvA0= =WgXe -----END PGP SIGNATURE----- --YiEDa0DAkWCtVeE4-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020119134810.GB9275>