You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@guacamole.apache.org by "Mike Jumper (Jira)" <ji...@apache.org> on 2020/03/25 15:54:00 UTC
[jira] [Commented] (GUACAMOLE-991) Pass and User Check before OTP
Check make possible brute force...
[ https://issues.apache.org/jira/browse/GUACAMOLE-991?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17066776#comment-17066776 ]
Mike Jumper commented on GUACAMOLE-991:
---------------------------------------
Checking the username/password first, only prompting for an authentication code if valid, is the standard approach to MFA.
Bear in mind that MFA is a defense against an entire account being compromised if one authentication factor (such as the username and password) is compromised. MFA is not a defense against brute force attempts to compromise one of those factors. If you wish to prevent brute force password guessing attempts, this is independent of whether MFA is in use. Deploying a solution like fail2ban (which automatically blocks access by IP address after a certain number of incorrect guesses) is the mechanism we normally recommend.
> Pass and User Check before OTP Check make possible brute force...
> -----------------------------------------------------------------
>
> Key: GUACAMOLE-991
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-991
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole-auth-totp
> Reporter: Mathieu CARBONNEAUX
> Priority: Trivial
>
> Hi,
>
> Guacamole with otp module work like a charm...
> but the user and password are checked before redirect to the otp page...
> this make possible user/pass brut force, because the attacker can know if the user + password is valid....
> ok they need the token to achive the complete connection... but they know the password...
>
> why not redirect systematicly to the otp form, and check user + pass after otp form post (do the token validation only if user/pass are ok) ? or to use 3 fields form ?
> in that way the attaker canot know if the password is ok or if the token is bad...
--
This message was sent by Atlassian Jira
(v8.3.4#803005)