- Additional Comment #5 From Thomas Biege 2004-06-09 14:52 MST [reply] checked verify-crypt.c Two bugs found. 1.) password verification done before checking for closed accounts, login restrictions or allowed remote logins for root result: even invalid logins can be brute-forced note, syslog messages are emitted for these cases 2.) "anti-brute-force-delay" missing for invalid logins note, syslog messages are emitted for these case Nevertheless the code is in very good style. Stay tuned... - Additional Comment #6 From Thomas Biege 2004-06-14 13:45 MST [reply] checked verify-shadow.c same bug as described in comment #5. Another (nitpicker) issue is that the shadow passwd file can be closed earlier. In this case it is harmless. - Additional Comment #7 From Thomas Biege 2004-06-17 16:49 MST [reply] verify-pam.c: like comment #5 code is much more complex and till now I didn't dig very deep. It includes various hacks and workarounds. (looks like handling PAM isn't easy) Another problem in verity-{crypt,shadow}.c is that for non-existing users strcmp() and crypt() isn't called. Therefore there is a time-difference between authenticating existing and non-existing users that can be measured.
From where is this copied? The GDM bugzilla? Alternatively, have the GDM developers been notified? These are almost certainly not worth the trouble of introducing a Gentoo-specific patch, IMO.
Oh, sorry. It says in the subject line. Duh. Anywho, upstream?
Thomas Biege contacted again. CC'ing Mike.
Upstream bug filed.
Mike any news on this one?
GNOME bug is public. Waiting for progress there...
No progress on the Gnome bug
I propose that we consider this shallow... and close the bug.
Koon says shallow (and I agree) -> Closing