[Twisted-Python] enterprise.dbcred.DatabaseAuthorizer
Paul Swartz
z3p at twistedmatrix.com
Sat Apr 26 10:55:05 MDT 2003
On 26 Apr 2003 at 11:23, Justin Ryan wrote:
> Consider, from a security standpoint, that an attacker is trying to
> brute-force your server. 'service subscription' error says 'you have
> correctly guessed a username, but are attempting to access the wrong
> service'. Having a valid username is much closer to a username/password
> pair than not having a valid username.. ;p
What Conch does for this is takes whatever error
the authentication raises, whether it be invalid
user, invalid password, etc., and turns it into a
generic 'not authenticated' message. If you want
to keep attackers from knowing which names are
actual users, you probably just want to do that,
rather than having a flag in the Authorizer.
-p
--
Paul Swartz
(o_ http://twistedmatrix.com/users/z3p.twistd/
//\ z3p at twistedmatrix.com
V_/_ AIM: Z3Penguin
More information about the Twisted-Python
mailing list