| From: | Alan T DeKok <aland(at)freeradius(dot)org> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Magnus Hagander <magnus(at)hagander(dot)net>, pgsql-bugs(at)postgresql(dot)org |
| Subject: | Re: BUG #5687: RADIUS Authentication issues |
| Date: | 2010-10-03 16:30:35 |
| Message-ID: | 4CA8AFAB.3090703@freeradius.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Tom Lane wrote:
> Hm ... seems to me that is a network security problem, not our problem.
> Who's to say one of the spoofed packets won't pass verification?
The packets are signed with a shared key. Passing verification means
either the attacker knows the key, or the attacker has broken MD5 in
ways that are currently unknown.
> If you want to change it, I won't stand in the way, but I have real
> doubts about both the credibility of this threat and the usefulness
> of the proposed fix.
The credibility of the threat is high. Anyone can trivially send a
packet which will cause authentication to fail. This is a DoS attack.
The usefulness of the fix is to mitigate the threat, and the implement
the security features mandated by RFC 2865. It's also how *all* RADIUS
implementations work.
Alan DeKok.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andrea Peri 2007 | 2010-10-03 16:51:03 | Re: Postgres 9.0 crash on win7 |
| Previous Message | Tony marston | 2010-10-03 16:16:05 | BUG #5690: pg_upgrade fails |