[Freeciv-Dev] Re: client/server authentication (PR#1767)
[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
On Wed, Jun 04, 2003 at 02:00:27PM -0700, Paul Zastoupil wrote:
> On Wed, Jun 04, 2003 at 01:47:17PM -0700, ChrisK@xxxxxxxx wrote:
> > On Wed, Jun 04, 2003 at 10:01:24AM -0700, Reinier Post wrote:
> > > > > I didn't test the patch yet but this sounds wrong. There shouldn't be
> > > > > a timeout for a good password.
> > > >
> > > > You mean a delay?
> > > >
> > > > But that is what ssh does. Needs to be, over net, I think.
> > >
> > > No, the delay is only set if the password is found to be incorrect.
> > > Same with /bin/login.
> >
> > SSH does a delay *before* it asks for the password (or is this my slow
> > machines?). Then it limits the guesses.
>
> This is your connection.
2 seconds in a LAN?
> ssh has to do a key exchange before it offers you the password prompt.
> Two very fast machines on the same wire experience nearly no delay.
Ok, thank you, so I take it my machines are slow.
But does this mean there is no threat with a timing attack on civ.auth?
> > If there is only a delay with *wrong* passwords, you can make an attack:
> > whenecer you notice a delay, disconnect and try again.
>
> --
> Paul Zastoupil
Christian
--
Christian Knoke * * * http://www.enter.de/~c.knoke/
* * * * * * * * * Ceterum censeo Microsoft esse dividendum.
- [Freeciv-Dev] Re: client/server authentication (PR#1767), Raimar Falke, 2003/06/03
- Message not available
- [Freeciv-Dev] Re: client/server authentication (PR#1767), Raimar Falke, 2003/06/06
- Message not available
- [Freeciv-Dev] Re: client/server authentication (PR#1767), ChrisK@xxxxxxxx, 2003/06/06
- Message not available
- [Freeciv-Dev] Re: client/server authentication (PR#1767), Raimar Falke, 2003/06/06
- Message not available
- [Freeciv-Dev] Re: client/server authentication (PR#1767), Paul Zastoupil, 2003/06/06
|
|
