Graphical Greeter -- Security gripe
Gene C.
czar at czarc.net
Mon Mar 1 19:19:46 UTC 2004
On Sunday 29 February 2004 22:59, Steve Ward wrote:
> I noticed that the graphical login screen now displays the last
> successful login for the username entered _before_ the password is entered.
>
> This is a security issue because it tells a potential cracker that they
> have found a valid login.
I agree with your concerns and almost submitted a bugzilla report to at least
document the concern.
The problem is that this new "feature" is both a security plus and a security
minus. It is part of gdm and can be configured off in /etc/X11/gdm/gdm.conf
for those who do not want it.
>From the plus side, if a user notices that the last login date/time does not
match what they remember, they can report it or take other appropriate
actions.
>From the minus side, it provides an attacker with the information that a valid
userid has been entered before the user has been actually authenticated
(before a valid password has been entered). Thus, they can now "just" attack
the password rather than the combination of userid and password (they have a
smaller search space).
This new feature has been implemented in gdm. Ideally, it should not be
implemented in gdm but instead be in the startup process as a popup (or
whatever). Thus, only authenticated users would see the Last Login popup.
Comments?
--
Gene
More information about the fedora-test-list
mailing list