gdm Create User
Steve Grubb
sgrubb at redhat.com
Sun Oct 7 14:00:10 UTC 2007
On Sunday 07 October 2007 08:26:51 Lubomir Kundrak wrote:
> > Leaking the information that a user exists or not is considered bad.
>
> Though I do not think that gdm is the right place to create user
> accounts, I disagree with this statement.
>
> Knowing that an user exists or not is in principle about the same
> dangerous as knowing whether a machine is up or not.
Remember all the times that login programs or pam have been updated to fix
timing attacks that sometimes reveal whether an account is valid? Let me show
you one to refresh your memory (there are more):
http://marc.info/?l=bugtraq&m=105172058404810&w=2
A successful account breach requires 3 things: a machine name, a valid
account, and the password. Letting people know that an account is valid cuts
the attack down to a dictionary attack.
-Steve
More information about the fedora-devel-list
mailing list