[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVS: cvs.openbsd.org: src



On Sun, Jul 05, 1998 at 02:30:52PM -0600, Todd C. Miller wrote:
> CVSROOT:	/cvs
> Module name:	src
> Changes by:	millert_(_at_)_cvs_(_dot_)_openbsd_(_dot_)_org	98/07/05 14:30:50
> 
> Modified files:
> 	usr.bin/login  : login.c 
> 
> Log message:
> No need to call pwcheck() (and hence crypt()) if the user does not
> exist.  The only reason I did that in the first place was to get a
> fake s/key challenge.  Now if the use does not exist we just get
> the challenge if password was 's/key' else sleep for a bit to make
> it look like we are doing a crypt().

This sounds like it will leak; sleep() will loose your quanta, which
is likely to be noticable on a fast machine.  Not that I consider
leaking usernames as horrible, but it isn't nice, either.

Eivind.