[GitHub] [guacamole-client] mike-jumper commented on pull request #758: GUACAMOLE-990: Add extension for automatically blocking brute-force auth attempts.

[GitBox <gi...@apache.org>]

mike-jumper commented on PR #758:
URL: https://github.com/apache/guacamole-client/pull/758#issuecomment-1222970355

   **NOTE:** This extension works by aborting authentication early by throwing a `GuacamoleClientTooManyException`, which immediately aborts via the following code path:
   
   https://github.com/apache/guacamole-client/blob/fe56df73fbbe640ed276bac823bcfb2f296ac493/guacamole/src/main/java/org/apache/guacamole/rest/auth/AuthenticationService.java#L208-L211
   
   This is naturally dependent on the order that extensions are loaded, hence naming things such that it's loaded first within the Docker image:
   
   https://github.com/apache/guacamole-client/blob/fe56df73fbbe640ed276bac823bcfb2f296ac493/guacamole-docker/bin/start.sh#L1168-L1173
   
   **Loading the extension before all other auth extensions is necessary for correct behavior with respect to timing**, and we'll have to document this in the manual.
   
   If the extension is installed but _not_ loaded first, then extensions that load earlier will be given a chance to authenticate the user before guacamole-auth-ban can abort the auth process. Even though repeated auth attempts will still be blocked, the amount of time taken until that block occurs might vary by whether the credentials provided were valid according to those other extensions, and that variance in timing might allow an attacker to determine whether their guess is correct even though full auth is temporarily blocked.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@guacamole.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org