[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: adduser: what is the difference between --disabled-password and--disabled-login

https://www.google.com/accounts/ServiceLogin?service=pages&continue=http%3A%2F%2Fpages.google.com%3A80%2F




On Sat, 14 May 2005 20:29:03 -0700
Steve Langasek <vorlon@debian.org> wrote:

> On Sat, May 14, 2005 at 10:33:28PM -0400, Glenn Maynard wrote:
> > On Sat, May 14, 2005 at 07:22:56PM -0700, Steve Langasek wrote:
> > > > I also think it would be really "cool"(TM) if the system could display
> > > > a message "password expired" or "account is locked" if the user
> > > > successfully authenticates to the system but is unable to authorize
> > > > the user to use the system. This saves the user wondering "did I use
> > > > the correct password?", "Did I enter it in correctly?", etc.
> 
> > > This leaks information to attackers about the state of the account.
> 
> > Hence "could": I don't consider the fact that an account is expired or
> > locked (or exists, for that matter) to be sensitive information, for
> > my uses, and would much prefer to give proper error messages.  People
> > with different security needs/philosophies use different policies ...
> 
> The trouble with doing this, in PAM-based systems, is that authentication
> precedes authorization; so any message that informs the user that the
> account is not authorized (i.e., it's expired or locked) also informs the
> attacker that authentication succeeded.
> 
> So, it's not just information about the account state that's being leaked;
> you're also leaking authentication tokens.
> 
> -- 
> Steve Langasek
> postmodern programmer
>
Reply to: