Details
-
Improvement
-
Status: Closed
-
Trivial
-
Resolution: Invalid
-
None
-
None
-
None
Description
Hi,
Guacamole with otp module work like a charm...
but the user and password are checked before redirect to the otp page...
this make possible user/pass brut force, because the attacker can know if the user + password is valid....
ok they need the token to achive the complete connection... but they know the password...
why not redirect systematicly to the otp form, and check user + pass after otp form post (do the token validation only if user/pass are ok) ? or to use 3 fields form ?
in that way the attaker canot know if the password is ok or if the token is bad...