freeradius denial of service in authentication flow
Alan DeKok
aland at freeradius.org
Sat Feb 15 21:00:49 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Florian Weimer wrote:
> * Alan DeKok:
>
>> That's an issue, but a rare one IMHO. The user has to exist on the
>> system. So this isn't a remote DoS.
>
> Could you elaborate on this assessment? Is this because typical data
> sources for SSHA passwords limit the length of the salt and thus the
> length of the SSHA hash?
Partly. The typical use-case for a remote DoS is for an
unauthenticated user to take down the system. Here, the user has to be
known, *and* be able to create a long SSHA password.
To me, this puts the issue into the category of "known users can do
bad things", which is very different from "unknown users can do bad things".
Alan DeKok.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQCVAwUBUv/VXKkul4vkAkl9AQLdvwQAgx4bd5aJOUA5l8sno2RwhzrLpXxDhLi0
ctaOcAcSmYdPabe5PMcb09lc9EbOGsuTr+lHOuNqWvE+63pFuw/7qom9IpdNtmkz
JMY1qSrCWbq7X/IE6M3MU90u3h/3IgO7rLCDXKipUL9CXf/Og/fH04DdNq6B2V8p
fRuJjdVRbLU=
=HrY0
-----END PGP SIGNATURE-----
More information about the freebsd-bugbusters
mailing list