Re: const time authentication in bozohttpd

To: tech-security%netbsd.org@localhost, tech-userlevel%netbsd.org@localhost
Subject: Re: const time authentication in bozohttpd
From: Joerg Sonnenberger <joerg%britannica.bec.de@localhost>
Date: Thu, 26 Jun 2014 22:46:56 +0200

On Wed, Jun 25, 2014 at 07:35:12AM +0000, shm wrote:
>  bozohttpd currently checks password using strcmp, which may leak information
> about compared data, my patch [1] introduces following countermeasures:

Personally, I would find it much more useful to allow using cdbr(3) for
indexed access. Pad the username to the maximum length found and it all
boils down to the user having consistent crypt(3) hash settings. Even
without the latter, you can't distinguish a valid username from an
invalid one, just that you have a set of accounts using shared hash
settings.

Joerg

Prev by Date: Re: const time authentication in bozohttpd
Next by Date: Re: const time authentication in bozohttpd
Previous by Thread: Re: const time authentication in bozohttpd
Next by Thread: add login.conf to getent(1)
Indexes:

Home | Main Index | Thread Index | Old Index