* Axel Braun [2018-02-14 10:27 +0100]:
Am Sonntag, 4. Februar 2018 00:30:05 UTC+1 schrieb Cédric Krier:
On 2018-02-03 07:48, Axel Braun wrote:
> Am Montag, 29. Januar 2018 23:25:07 UTC+1 schrieb Cédric Krier:
> > On 2018-01-29 12:47, Axel Braun wrote:
> > > I would like to discuss https://bugs.tryton.org/issue5375 with all
developers involved.
> >
> > All developers have already commented on the issue and we all agree that
> > the proposal is wrong, solves nothing and weakens the brute force attack
> > protection.
>
> We had a constructive and friendly discussion about the topic
> here: https://bugzilla.opensuse.org/show_bug.cgi?id=1078111
What I read is that more people agree that the applied patch does not
solve any issue and disable the brute force attack protection.
Maybe you should read more carefully: The current implementation in
Tryton, that allows you to bring the whole system down by flooding
the database with login requests is rubbish (OK, the security team
phrased it more politely)
If you've read everything carefully then you will also notice that the
security team does not have all the use cases in mind when it comes to
make a decision. Of course, in a single instance trytond there are
better options available but I am still waiting for a better approach
when taking into account the multi-platform, multi-instance use cases
that we do care about.
> The advise from the security team should be considered for a future patch.
But more importantly, the applied patch on the OpenSUSE package must be
removed ASAP to not expose OpenSUSE users of the Tryton package to brute
force attack against their password.
Dunno if you have read the link you have posted above
(https://www.schneier.com/blog/archives/2009/01/bad_password_se.html)
yourself, but the first comment already describes it pretty well.
Up to now we have no better patch in place. The proposed patch
https://codereview.appspot.com/335550043/ makes thing even worse.
Explain how exactly.
Because for me that would be a solution: instead of patching trytond
with the really bad patch you're using you could just patch GNU Health
(thus not impacting users of trytond) and you're done, this whole
issue become void.
Granted the patch is not perfect (a check on the size of the
dictionary and the use of the database name are things that comes to
my mind). But it does what Luis wants so badly: stop anonymous logging
in the database.
--
Nicolas Évrard - B2CK SPRL
E-mail/Jabber: nicolas.evr...@b2ck.com
Tel: +32 472 54 46 59
Website: http://www.b2ck.com/
--
You received this message because you are subscribed to the Google Groups
"tryton-dev" group.
To view this discussion on the web visit
https://groups.google.com/d/msgid/tryton-dev/20180214094638.z2ov6fgrzokmssy6%40localhost.localdomain.
