Re: i18n problem in GDM
- From: George <jirka 5z com>
- To: Ross Golder <ross golder org>
- Cc: Kjartan Maraas <kmaraas broadpark no>, gnome-i18n gnome org
- Subject: Re: i18n problem in GDM
- Date: Tue, 9 Mar 2004 20:48:56 -0800
On Wed, Mar 10, 2004 at 10:59:07AM +0700, Ross Golder wrote:
> Hehe. I don't know whether to laugh or cry. I find it strange that I could
> just walk up to a DOD computer, type in a login and it will confirm that
> the account exists and when that person last logged on. I guess I'd still
> have to have access to a DOD computer in the first place :)
>
> If I logged into a non-graphical terminal (e.g. 'login' process), it would
> only be _after_ I'd successfully authenticated myself as a legitimate user
> before it said 'you last logged in on' and I was able to use commands like
> 'last' to determine who logged in and when.
>
> Anyways, end of rant. I guess, being in the defence (sp - en_GB) business,
> it's up to the DOD to decide on their own definition of security :)
I would assume that 1) being able to figure out if a username is valid is
quite useless. If knowing that the username is valid helps you gain access,
then that user was a complete moron for not setting a password. This is
especially true for graphical logins, where automated brute force attacks are
almost impossible (even for remote login). Plus there are many other ways to
test if a username is valid.
However it IS a valid concern to know when this user last logged in BEFORE
actually logging in, due to possible malicious login scripts. Once logged
in, the attacker could have added a 'last' alias or whatnot that lists only
your valid logins. While you could figure this out it is not trivial.
It seems that dtlogin is already revealing if a username is valid and it
doesn't seem like an issue for security there either.
> Does the 'last' check run in a seperate thread, or does it block the
> password entry? Under load 'last' can take around ten seconds on my
> machine, and that's only for one months of logins on a single-user laptop.
> I don't want to grow a beard waiting to be able to enter my password :)
That is likely because your last is listing everything to a terminal. Try
'last > /dev/null' and be amazed at how fast that is. If it still takes more
then a second, then something is seriously screwy with your system.
> Also, IMHO, it'd be better to handle the lookup within gdm, using wtmp
> file directly and l10n'ing the output using gettext. Should make it even
> quicker, and solve the i18n issue.
Yes. Feel free to submit a patch.
George
--
George <jirka@5z.com>
I finally figured out the only reason to be alive is to enjoy it.
-- Rita Mae Brown
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]