Complete.Org: Mailing Lists: Archives: freeciv-dev: June 2003:
[Freeciv-Dev] Re: client/server authentication (PR#1767) 		Home

[Freeciv-Dev] Re: client/server authentication (PR#1767)

[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: kaufman@xxxxxxxxxxxxxxxxxxxxxx
Subject: [Freeciv-Dev] Re: client/server authentication (PR#1767)
From: "Raimar Falke" <rf13@xxxxxxxxxxxxxxxxx>
Date: Fri, 6 Jun 2003 06:02:38 -0700
Reply-to: rt@xxxxxxxxxxxxxx 
On Wed, Jun 04, 2003 at 01:47:17PM -0700, ChrisK@xxxxxxxx wrote:
> On Wed, Jun 04, 2003 at 10:01:24AM -0700, Reinier Post wrote:
> > > > I didn't test the patch yet but this sounds wrong. There shouldn't be
> > > > a timeout for a good password.
> > > 
> > > You mean a delay?
> > > 
> > > But that is what ssh does. Needs to be, over net, I think.
> > 
> > No, the delay is only set if the password is found to be incorrect.
> > Same with /bin/login.
> 
> SSH does a delay *before* it asks for the password (or is this my slow
> machines?). Then it limits the guesses.


The main delay here is between
  debug1: ssh_connect: getuid 500 geteuid 0 anon 1
and
  debug1: Connecting to www.freeciv.org [64.37.156.68] port 22.

Strace with -tt reveals:

7471  14:52:26.582653 write(2, "debug1: ssh_connect: getuid 500 "..., 52) = 52
7471  14:52:26.583367 open("/etc/services", O_RDONLY) = 3
...
7471  14:52:26.584944 open("/etc/resolv.conf", O_RDONLY) = 3
...
7471  14:52:26.586494 open("/etc/host.conf", O_RDONLY) = 3
...
7471  14:52:26.590063 open("/lib/libnss_nisplus.so.2", O_RDONLY) = 3
...
7471  14:52:26.600272 connect(3, {sin_family=AF_INET, sin_port=htons(53), 
sin_addr=inet_addr("194.25.0.52")}}, 28) = 0
...
7471  14:52:28.126988 write(2, "debug1: Connecting to xxxxxx [14"..., 52) = 52

So at least in my case I get a 1.5s delay because of the DNS loopkup.

> If there is only a delay with *wrong* passwords, you can make an attack:
> whenecer you notice a delay, disconnect and try again.

Yes this is possible. But you have to make sure that you don't treat a
network lag as a reject. You have to work with statistics here. If you
know that the distribution of the rtt is you can say something like
with 99% probability are all good answers back in x ms.

        Raimar

-- 
 email: rf13@xxxxxxxxxxxxxxxxx
  This customer comes into the computer store. "I'm looking for a mystery
  Adventure Game with lots of graphics. You know, something realy
  challenging". "Well," replied the clerk, "have you tried Windows 98 ?"
[Prev in Thread] Current Thread [Next in Thread]