From 88faada54006c022f3a40ee54b3e30eef7bc79b4 Mon Sep 17 00:00:00 2001
From: Jonas Bardino <bardino@science.ku.dk>
Date: Mon, 24 Feb 2025 15:11:47 +0100
Subject: [PATCH] Adjust auth policy a bit to avoid giving away information
 about the existence or non-existence of accounts with valid account
 usernames.

---
 mig/shared/griddaemons/auth.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/mig/shared/griddaemons/auth.py b/mig/shared/griddaemons/auth.py
index fe6a60e21..36bd2023d 100644
--- a/mig/shared/griddaemons/auth.py
+++ b/mig/shared/griddaemons/auth.py
@@ -316,6 +316,7 @@ def validate_auth_attempt(configuration,
                 username, ip_addr, auth_msg,
                 notify=notify, hint=session_hint)
     elif invalid_username:
+        # Drop as this is publicly known to be an invalid user
         disconnect = True
         if re.match(CRACK_USERNAME_REGEX, username) is not None:
             auth_msg = "Crack username detected"
@@ -332,7 +333,8 @@ def validate_auth_attempt(configuration,
         authlog(configuration, authlog_lvl, protocol, authtype,
                 username, ip_addr, auth_msg, notify=notify)
     elif invalid_user:
-        disconnect = True
+        # Do not indirectly give away information about user non-existence
+        disconnect = False
         auth_msg = "Invalid user"
         log_msg = auth_msg + " %s from %s" % (username, ip_addr)
         if tcp_port > 0: