Graphical Greeter -- Security gripe

Gene C. czar at czarc.net
Mon Mar 1 19:19:46 UTC 2004


On Sunday 29 February 2004 22:59, Steve Ward wrote:
> I noticed that the graphical login screen now displays the last
> successful login for the username entered _before_ the password is entered.
>
> This is a security issue because it tells a potential cracker that they
> have found a valid login.

I agree with your concerns and almost submitted a bugzilla report to at least 
document the concern.

The problem is that this new "feature" is both a security plus and a security 
minus.  It is part of gdm and can be configured off in /etc/X11/gdm/gdm.conf 
for those who do not want it.

>From the plus side, if a user notices that the last login date/time does not 
match what they remember, they can report it or take other appropriate 
actions.

>From the minus side, it provides an attacker with the information that a valid 
userid has been entered before the user has been actually authenticated 
(before a valid password has been entered).  Thus, they can now "just" attack 
the password rather than the combination of userid and password (they have a 
smaller search space).

This new feature has been implemented in gdm.  Ideally, it should not be 
implemented in gdm but instead be in the startup process as a popup (or 
whatever).  Thus, only authenticated users would see the Last Login popup.

Comments?
-- 
Gene





More information about the fedora-test-list mailing list