Quoting Dmitri Gribenko ([email protected]): > On Mon, Jun 1, 2009 at 9:14 AM, Christian Perrier <[email protected]> wrote: > > login uses PAM for this and defaults settings are correct wrt brute > > force attackes, with a 3 seconds delay before answering "Login incorrect". > > The delay is there and works as expected. The problem is that an > attacker can distinguish between a valid and an invalid login (in the > latter case password is not asked -- this is the problem). Thus, he > can first brute force for a login, then for a password. If he > couldn't, he would now know which logins are valid on the system.
(please answer to the bug report so that the whole thread remains archived there) Well, IIRC, this has been debated many times already, in both the Debian package development history and during the upstream development (the Debian maintainer, Nicolas François, is now upstream for shadow). Again, I don't really see how one could *really* brute force logins when PAM sets a 3 seconds delay for its answer....but let's see what light can be pu tby Nicolas on this: his emory of these discussions is maybe better than mine.
signature.asc
Description: Digital signature
