Re: login sleeps too long on incorrect logins...

["Tony Lambiris" <tlambiris@skillsoft.com>]

So login uses rand() as the time out? I was under the impression it was a
set thing.

----- Original Message -----
From: "Daniel Grunblatt" <daniel@grunblatt.com.ar>
To: "Tony Lambiris" <tlambiris@skillsoft.com>
Cc: "Denis A. Doroshenko" <d.doroshenko@omnitel.net>; <tech@openbsd.org>
Sent: Monday, June 04, 2001 10:11 AM
Subject: Re: login sleeps too long on incorrect logins...


> No pal, it's a random time.
>
> On Mon, 4 Jun 2001, Tony Lambiris wrote:
>
> > But I think at what he was hinting at, was the difference in delays...
if it
> > delays longer, you know the username is invalid, which actually _helps_
> > brute forcing.
> >
> > ----- Original Message -----
> > From: "Daniel Grunblatt" <daniel@grunblatt.com.ar>
> > To: "Denis A. Doroshenko" <d.doroshenko@omnitel.net>
> > Cc: <tech@openbsd.org>
> > Sent: Monday, June 04, 2001 9:13 AM
> > Subject: Re: login sleeps too long on incorrect logins...
> >
> >
> > > I think that it's fine like now just to delay any try to remote brute
> > > force username guesses.
> > >
> > > d.-
> > >
> > > On Mon, 4 Jun 2001, Denis A. Doroshenko wrote:
> > >
> > > > hello, not once i noticed, that login sleeps too long on incorrect
> > > > logins (bad username). it is noticeably longer than failure for
account
> > > > when bad password is supplied. as i see from
src/usr.bin/login/login.c
> > > > it is simple sleep with random time (1..3 secs). wouldn't it better
to
> > > > try encrypt some random string with crypt(3) to get delay emulating
the
> > > > pause? just because on my 486 this pause is ok, but on my celeron
300 i
> > > > can clearly distinct between non-existing user and bad-password
> > > > incorrect logins...
> > > >
> > > > --
> > > > Denis A. Doroshenko  [GPRS/IN/WAP, VAS group engineer] .-.
_|_  |
> > > > [Omnitel Ltd., T.Sevcenkos st. 25, Vilnius, Lithuania] | | _ _  _ .|
_ |
> > > > [Phone: +370 9863486 E-mail: d.doroshenko@omnitel.net] |_|| | ||
> > |||(/_|_