freeradius denial of service in authentication flow
aland at freeradius.org
Sat Feb 15 21:00:49 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Florian Weimer wrote:
> * Alan DeKok:
>> That's an issue, but a rare one IMHO. The user has to exist on the
>> system. So this isn't a remote DoS.
> Could you elaborate on this assessment? Is this because typical data
> sources for SSHA passwords limit the length of the salt and thus the
> length of the SSHA hash?
Partly. The typical use-case for a remote DoS is for an
unauthenticated user to take down the system. Here, the user has to be
known, *and* be able to create a long SSHA password.
To me, this puts the issue into the category of "known users can do
bad things", which is very different from "unknown users can do bad things".
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the freebsd-bugbusters