[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: adduser: what is the difference between --disabled-password and--disabled-login

On Sat, May 14, 2005 at 07:22:56PM -0700, Steve Langasek wrote:
> > I also think it would be really "cool"(TM) if the system could display
> > a message "password expired" or "account is locked" if the user
> > successfully authenticates to the system but is unable to authorize
> > the user to use the system. This saves the user wondering "did I use
> > the correct password?", "Did I enter it in correctly?", etc.
> This leaks information to attackers about the state of the account.

Hence "could": I don't consider the fact that an account is expired or
locked (or exists, for that matter) to be sensitive information, for
my uses, and would much prefer to give proper error messages.  People
with different security needs/philosophies use different policies ...

(I'd be satisfied if I could convinced logins/su to not force a pointless
delay on an incorrect password--the only thing more annoying than mistyping
my password is having my own system force me to wait.  One of these days I'll
get annoyed enough by this to track down why "FAIL_DELAY 0" isn't being
honored ...)

Glenn Maynard

Reply to: