[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: adduser: what is the difference between --disabled-password and--disabled-login

On Sat, May 14, 2005 at 10:33:28PM -0400, Glenn Maynard wrote:
> On Sat, May 14, 2005 at 07:22:56PM -0700, Steve Langasek wrote:
> > > I also think it would be really "cool"(TM) if the system could display
> > > a message "password expired" or "account is locked" if the user
> > > successfully authenticates to the system but is unable to authorize
> > > the user to use the system. This saves the user wondering "did I use
> > > the correct password?", "Did I enter it in correctly?", etc.

> > This leaks information to attackers about the state of the account.

> Hence "could": I don't consider the fact that an account is expired or
> locked (or exists, for that matter) to be sensitive information, for
> my uses, and would much prefer to give proper error messages.  People
> with different security needs/philosophies use different policies ...

The trouble with doing this, in PAM-based systems, is that authentication
precedes authorization; so any message that informs the user that the
account is not authorized (i.e., it's expired or locked) also informs the
attacker that authentication succeeded.

So, it's not just information about the account state that's being leaked;
you're also leaking authentication tokens.

Steve Langasek
postmodern programmer

Attachment: signature.asc
Description: Digital signature

Reply to: