[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: login sleeps too long on incorrect logins...

To: "Denis A. Doroshenko" <d.doroshenko@omnitel.net>
Subject: Re: login sleeps too long on incorrect logins...
From: Daniel Grunblatt <daniel@grunblatt.com.ar>
Date: Mon, 4 Jun 2001 10:13:14 -0300 (ART)
Cc: tech@openbsd.org

I think that it's fine like now just to delay any try to remote brute
force username guesses.

d.-

On Mon, 4 Jun 2001, Denis A. Doroshenko wrote:

> hello, not once i noticed, that login sleeps too long on incorrect
> logins (bad username). it is noticeably longer than failure for account
> when bad password is supplied. as i see from src/usr.bin/login/login.c
> it is simple sleep with random time (1..3 secs). wouldn't it better to
> try encrypt some random string with crypt(3) to get delay emulating the
> pause? just because on my 486 this pause is ok, but on my celeron 300 i
> can clearly distinct between non-existing user and bad-password
> incorrect logins...
> 
> -- 
> Denis A. Doroshenko  [GPRS/IN/WAP, VAS group engineer] .-.        _|_  |
> [Omnitel Ltd., T.Sevcenkos st. 25, Vilnius, Lithuania] | | _ _  _ .| _ |
> [Phone: +370 9863486 E-mail: d.doroshenko@omnitel.net] |_|| | || |||(/_|_

Follow-Ups:
- Re: login sleeps too long on incorrect logins...
  - From: "Tony Lambiris" <tlambiris@skillsoft.com>

References:
- login sleeps too long on incorrect logins...
  - From: "Denis A. Doroshenko" <d.doroshenko@omnitel.net>

Prev by Date: login sleeps too long on incorrect logins...
Next by Date: Re: login sleeps too long on incorrect logins...
Prev by thread: login sleeps too long on incorrect logins...
Next by thread: Re: login sleeps too long on incorrect logins...
Index(es):
- Date
- Thread