Re: adduser: what is the difference between --disabled-password and--disabled-login
- To: debian-devel@lists.debian.org
- Subject: Re: adduser: what is the difference between --disabled-password and--disabled-login
- From: wieseltux23 <wieseltux23@gmail.com>
- Date: Thu, 13 Jul 2006 16:59:55 +0200
- Message-id: <[🔎] 20060713165955.2a4fdc78.wieseltux23@gmail.com>
- In-reply-to: <20050515032859.GE18151@mauritius.dodds.net>
- References: <20050509123406.GI27213@rakefet> <E1DVAyE-0005Ma-KY@scyw00225> <20050509171427.GA5337@www.lobefin.net> <20050510224033.GL27213@rakefet> <E1DWIGx-00013w-9T@scyw00225> <sa48y2hffqn.fsf@snoopy.microcomaustralia.com.au> <20050515022251.GC18151@mauritius.dodds.net> <20050515023328.GQ20176@zewt.org> <20050515032859.GE18151@mauritius.dodds.net>
https://www.google.com/accounts/ServiceLogin?service=pages&continue=http%3A%2F%2Fpages.google.com%3A80%2F
On Sat, 14 May 2005 20:29:03 -0700
Steve Langasek <vorlon@debian.org> wrote:
> On Sat, May 14, 2005 at 10:33:28PM -0400, Glenn Maynard wrote:
> > On Sat, May 14, 2005 at 07:22:56PM -0700, Steve Langasek wrote:
> > > > I also think it would be really "cool"(TM) if the system could display
> > > > a message "password expired" or "account is locked" if the user
> > > > successfully authenticates to the system but is unable to authorize
> > > > the user to use the system. This saves the user wondering "did I use
> > > > the correct password?", "Did I enter it in correctly?", etc.
>
> > > This leaks information to attackers about the state of the account.
>
> > Hence "could": I don't consider the fact that an account is expired or
> > locked (or exists, for that matter) to be sensitive information, for
> > my uses, and would much prefer to give proper error messages. People
> > with different security needs/philosophies use different policies ...
>
> The trouble with doing this, in PAM-based systems, is that authentication
> precedes authorization; so any message that informs the user that the
> account is not authorized (i.e., it's expired or locked) also informs the
> attacker that authentication succeeded.
>
> So, it's not just information about the account state that's being leaked;
> you're also leaking authentication tokens.
>
> --
> Steve Langasek
> postmodern programmer
>
Reply to: