Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  NEWS  community  lists  Wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [month] [year] [list] 
Date: Tue, 1 Apr 2003 11:54:29 +0400
From: Solar Designer <solar@...nwall.com>
To: popa3d-users@...ts.openwall.com
Subject: Re: virtual.c another question

On Sun, Mar 30, 2003 at 01:57:08PM +0400, Solar Designer wrote:
> On Sun, Mar 30, 2003 at 01:29:38PM +0600, Boris Kovalenko wrote:
> > virtual.c/virtual_userpass
> > fail = 0;
> > if (!is_valid_user(user)) {
> >      user = "INVALID";
> >      fail = 1;
> > }
> > .... many other code
> > 
> > Why to run other code if we already know that user is invalid? Why lstat 
> > directory and try to open file for this "INVALID" user?
> 
> This is to reduce information leaks via timing.

I've got a few more questions about this, so I'll explain on the list.

The attack this approach is meant to deal with relies on measuring the
time it takes the server to process an authentication request.  If
the time would be very different depending on the authentication
failure reason, it would be easy to determine that reason remotely.

-- 
/sd

Powered by Openwall GNU/*/Linux - Powered by OpenVZ