Re: adduser: what is the difference between --disabled-password and--disabled-login
On Sat, 14 May 2005 20:29:03 -0700
Steve Langasek <firstname.lastname@example.org> wrote:
> On Sat, May 14, 2005 at 10:33:28PM -0400, Glenn Maynard wrote:
> > On Sat, May 14, 2005 at 07:22:56PM -0700, Steve Langasek wrote:
> > > > I also think it would be really "cool"(TM) if the system could display
> > > > a message "password expired" or "account is locked" if the user
> > > > successfully authenticates to the system but is unable to authorize
> > > > the user to use the system. This saves the user wondering "did I use
> > > > the correct password?", "Did I enter it in correctly?", etc.
> > > This leaks information to attackers about the state of the account.
> > Hence "could": I don't consider the fact that an account is expired or
> > locked (or exists, for that matter) to be sensitive information, for
> > my uses, and would much prefer to give proper error messages. People
> > with different security needs/philosophies use different policies ...
> The trouble with doing this, in PAM-based systems, is that authentication
> precedes authorization; so any message that informs the user that the
> account is not authorized (i.e., it's expired or locked) also informs the
> attacker that authentication succeeded.
> So, it's not just information about the account state that's being leaked;
> you're also leaking authentication tokens.
> Steve Langasek
> postmodern programmer