gdm Create User

Steve Grubb sgrubb at redhat.com
Sun Oct 7 14:00:10 UTC 2007


On Sunday 07 October 2007 08:26:51 Lubomir Kundrak wrote:
> > Leaking the information that a user exists or not is considered bad.
>
> Though I do not think that gdm is the right place to create user
> accounts, I disagree with this statement.
>
> Knowing that an user exists or not is in principle about the same
> dangerous as knowing whether a machine is up or not.

Remember all the times that login programs or pam have been updated to fix 
timing attacks that sometimes reveal whether an account is valid? Let me show 
you one to refresh your memory (there are more):

http://marc.info/?l=bugtraq&m=105172058404810&w=2

A successful account breach requires 3 things: a machine name, a valid 
account, and the password. Letting people know that an account is valid cuts 
the attack down to a dictionary attack.

-Steve




More information about the fedora-devel-list mailing list