Re: Including pam_faildelay module in PAM distribution/possible security problem
- Subject: Re: Including pam_faildelay module in PAM distribution/possible security problem
- From: Thorsten Kukuk <kukuk@xxxxxxx>
- Date: Fri, 10 Nov 2006 12:39:27 +0100
- In-reply-to: <453B6F72.4070701@xxxxxxxxxxxxxxx>
- Organization: SuSE Linux Products GmbH, Nuernberg, Germany
- User-agent: Mutt/1.5.9i
On Sun, Oct 22, Bjoern Voigt wrote:
> Hello!
>
> Since long time I miss support for PAM's pam_fail_delay() function in
> common Linux applications. For instance, OpenSSH and SUDO don't support
> fail delay without special patches.
Something I should mention here: pam_fail_delay() has a huge drawback/
security problem:
Since libpam is sleeping here, the application has no chance to log
the failed authentication attemp.
Depending on the application, you can abort the application with
Ctrl-C while it is inside of the delay function. As result, there
will never be a syslog entry about the failed login attemp.
We had some time (years?) ago the security problem that attacker
could use some applications for brute force attacks by aborting
them during the delay, because the following happend:
- authentication fails
- sleep()
- syslog()
This was changed to
- authentication fails
- syslog ()
- sleep ()
With pam_fail_delay, you will always have sleep before syslog, this is
not changeable.
And I have no good idea how to make sure that the libpam sleep will
not be aborted.
Thorsten
--
Thorsten Kukuk http://www.suse.de/~kukuk/ kukuk@xxxxxxx
SUSE LINUX Products GmbH Maxfeldstr. 5 D-90409 Nuernberg
--------------------------------------------------------------------
Key fingerprint = 8C6B FD92 EE0F 42ED F91A 6A73 6D1A 7F05 2E59 24BB
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
[Fedora Users]
[Kernel]
[Red Hat Install]
[Linux for the blind]
[Gimp]
