On Sat, May 14, 2005 at 10:33:28PM -0400, Glenn Maynard wrote: > On Sat, May 14, 2005 at 07:22:56PM -0700, Steve Langasek wrote: > > > I also think it would be really "cool"(TM) if the system could display > > > a message "password expired" or "account is locked" if the user > > > successfully authenticates to the system but is unable to authorize > > > the user to use the system. This saves the user wondering "did I use > > > the correct password?", "Did I enter it in correctly?", etc. > > This leaks information to attackers about the state of the account. > Hence "could": I don't consider the fact that an account is expired or > locked (or exists, for that matter) to be sensitive information, for > my uses, and would much prefer to give proper error messages. People > with different security needs/philosophies use different policies ... The trouble with doing this, in PAM-based systems, is that authentication precedes authorization; so any message that informs the user that the account is not authorized (i.e., it's expired or locked) also informs the attacker that authentication succeeded. So, it's not just information about the account state that's being leaked; you're also leaking authentication tokens. -- Steve Langasek postmodern programmer
Attachment:
signature.asc
Description: Digital signature