Including pam_faildelay module in PAM distribution/possible security problem
Bjoern Voigt
bjoern at cs.tu-berlin.de
Sun Nov 12 22:03:36 UTC 2006
Bjoern Voigt wrote:
> 3. I don't like the hardcoded "sleep" function very much. This is
> especially problematic within GUI programs. A GUI program can not
> react events if it wait's for PAM. Ideally an application could
> register a custom wait/sleep callback function. Unfortunately such
> a new callback would not help to secure unmodified programs.
After looking at the manual page for "pam_fail_delay" and the source
code more deeply, I saw, that we already have such faildelay callback
functions.
An application programmer could write log entries about failed logins
within this callback function before sleeping to avoid the security
problem. But does such a solution match the design principles of PAM?
Greetings, Björn
More information about the Pam-list
mailing list