[JDEV] Returning a different response code for non-existent users

Thomas Muldowney temas at box5.net
Wed Oct 10 10:44:55 CDT 2001


The reason it is like this is one of those classic security reasons,
telling the user if their password was wrong or if the user does not
exist allows an attacker to wander around and find an account possibly
by guessing names.  Then they can begin to attack the password because
they will get a definate error when it is wrong.  Many clients store a
flag to know if they have an account already or they will have a
checkbox or wizard for new user creation.  I'll have to poke aroudn to
find out where to hook in for the change you want though.

--temas


On Tue, Oct 09, 2001 at 11:15:59PM +0800, Miguel A.L. Paraz wrote:
> Hi,
> Sorry for the cross-post between jadmin and jdev - I'm not sure if this is 
> an admin thing that can be fixed using configuration, or if it needs coding,
> which I'm willing to do.
> 
> Right now, a 401/unauthorized error is returned if a user does not exist.
> This is the same as if the password is incorrect.
> I would like to know how can it be setup that a different 4xx error is 
> returned for nonexistent users.
> 
> The reason why:
> I already have pre-existing dialup users in a RADIUS database.
> I already have the contributed mod_auth_radius running.
> I want the client to try logging in automatically using the 
> dialup username/password.  If the server gives an error that the user is not
> yet defined, then the client will register automatically.
> 
> With the current setup, the client cannot tell if the 401 is due to
> the user not existing, or an incorrect password.
> 
> I was trying to trace through the code, and found that it is not the mod_auth_*
> module that returns the 401 if the user does not exist.  From the debug
> output, I could not easily tell which does the 401.  I'd like to change the
> error to the "Not Registered" error or something relevant.
> 
> Hints please?  Thanks.
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20011010/d5a7a92a/attachment-0002.pgp>


More information about the JDev mailing list