Re: i18n problem in GDM



On Wed, Mar 10, 2004 at 10:59:07AM +0700, Ross Golder wrote:
> Hehe. I don't know whether to laugh or cry. I find it strange that I could
> just walk up to a DOD computer, type in a login and it will confirm that
> the account exists and when that person last logged on. I guess I'd still
> have to have access to a DOD computer in the first place :)
> 
> If I logged into a non-graphical terminal (e.g. 'login' process), it would
> only be _after_ I'd successfully authenticated myself as a legitimate user
> before it said 'you last logged in on' and I was able to use commands like
> 'last' to determine who logged in and when.
> 
> Anyways, end of rant. I guess, being in the defence (sp - en_GB) business,
> it's up to the DOD to decide on their own definition of security :)

I would assume that 1) being able to figure out if a username is valid is
quite useless.  If knowing that the username is valid helps you gain access,
then that user was a complete moron for not setting a password.  This is
especially true for graphical logins, where automated brute force attacks are
almost impossible (even for remote login).  Plus there are many other ways to
test if a username is valid.

However it IS a valid concern to know when this user last logged in BEFORE
actually logging in, due to possible malicious login scripts.  Once logged
in, the attacker could have added a 'last' alias or whatnot that lists only
your valid logins.  While you could figure this out it is not trivial.

It seems that dtlogin is already revealing if a username is valid and it
doesn't seem like an issue for security there either.

> Does the 'last' check run in a seperate thread, or does it block the
> password entry? Under load 'last' can take around ten seconds on my
> machine, and that's only for one months of logins on a single-user laptop.
> I don't want to grow a beard waiting to be able to enter my password :)

That is likely because your last is listing everything to a terminal.  Try
'last > /dev/null' and be amazed at how fast that is.  If it still takes more
then a second, then something is seriously screwy with your system.

> Also, IMHO, it'd be better to handle the lookup within gdm, using  wtmp
> file directly and l10n'ing the output using gettext. Should make it even
> quicker, and solve the i18n issue.

Yes.  Feel free to submit a patch.

George

-- 
George <jirka@5z.com>
   I finally figured out the only reason to be alive is to enjoy it.
                       -- Rita Mae Brown



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]