[Twisted-Python] enterprise.dbcred.DatabaseAuthorizer

Paul Swartz z3p at twistedmatrix.com
Sat Apr 26 10:55:05 MDT 2003


On 26 Apr 2003 at 11:23, Justin Ryan wrote:

> Consider, from a security standpoint, that an attacker is trying to
> brute-force your server.  'service subscription' error says 'you have
> correctly guessed a username, but are attempting to access the wrong
> service'.  Having a valid username is much closer to a username/password
> pair than not having a valid username.. ;p

What Conch does for this is takes whatever error 
the authentication raises, whether it be invalid 
user, invalid password, etc., and turns it into a 
generic 'not authenticated' message.  If you want 
to keep attackers from knowing which names are 
actual users, you probably just want to do that, 
rather than having a flag in the Authorizer.

-p

-- 
     Paul Swartz
(o_  http://twistedmatrix.com/users/z3p.twistd/
//\  z3p at twistedmatrix.com
V_/_ AIM: Z3Penguin





More information about the Twisted-Python mailing list