Re: adduser: what is the difference between --disabled-password and--disabled-login
- To: email@example.com
- Subject: Re: adduser: what is the difference between --disabled-password and--disabled-login
- From: wieseltux23 <firstname.lastname@example.org>
- Date: Thu, 13 Jul 2006 16:59:55 +0200
- Message-id: <[🔎] email@example.com>
- In-reply-to: <20050515032859.GE18151@mauritius.dodds.net>
- References: <20050509123406.GI27213@rakefet> <E1DVAyE-0005Ma-KY@scyw00225> <20050509171427.GA5337@www.lobefin.net> <20050510224033.GL27213@rakefet> <E1DWIGx-00013w-9T@scyw00225> <firstname.lastname@example.org> <20050515022251.GC18151@mauritius.dodds.net> <20050515023328.GQ20176@zewt.org> <20050515032859.GE18151@mauritius.dodds.net>
On Sat, 14 May 2005 20:29:03 -0700
Steve Langasek <email@example.com> wrote:
> On Sat, May 14, 2005 at 10:33:28PM -0400, Glenn Maynard wrote:
> > On Sat, May 14, 2005 at 07:22:56PM -0700, Steve Langasek wrote:
> > > > I also think it would be really "cool"(TM) if the system could display
> > > > a message "password expired" or "account is locked" if the user
> > > > successfully authenticates to the system but is unable to authorize
> > > > the user to use the system. This saves the user wondering "did I use
> > > > the correct password?", "Did I enter it in correctly?", etc.
> > > This leaks information to attackers about the state of the account.
> > Hence "could": I don't consider the fact that an account is expired or
> > locked (or exists, for that matter) to be sensitive information, for
> > my uses, and would much prefer to give proper error messages. People
> > with different security needs/philosophies use different policies ...
> The trouble with doing this, in PAM-based systems, is that authentication
> precedes authorization; so any message that informs the user that the
> account is not authorized (i.e., it's expired or locked) also informs the
> attacker that authentication succeeded.
> So, it's not just information about the account state that's being leaked;
> you're also leaking authentication tokens.
> Steve Langasek
> postmodern programmer