[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: large delays on failed authentication



Ingo Luetkebohle wrote:
> On Thu, 27 Mar 1997, Andrew G. Morgan wrote:
> > No, the delay should not provide any information about the availability (or
> > not) of accounts on a system. This is known as a covert channel of
> > information and the point of implementating pam_fail_delay was to avoid such
> > things.
> 
> I agree. Still, "pam_fail_delay" only allows me to _in_crease the delay,
> not decrease it, or so it seems. Did I just do something wrong or is that
> just the way it works?

This is just the way it works.

pam_fail_delay() is used to request a minimum delay. If your libpam was
compiled to suport it, each module (or application) is able to request the
minimum delay.. The delay that is used it that of the longest request (*).
In this way an attacker cannot decide which module was the one that failed,
but all modules can be sure that a failure results in a delay that is "at
least" as long as they require.

(*) The actual delay is distributed randomly by 25% about the maximum delay.

Said with a different set of words:

http://parc.power.net/morgan/Linux-PAM/Linux-PAM-html/pam_modules-2.html#ss2.2

and more here:

	> man pam_fail_delay

Regards

Andrew
-- 
               Linux-PAM, libpwdb, Orange-Linux and Linux-GSS
                  http://parc.power.net/morgan/index.html
       [ For those that prefer FTP  ---  ftp://ftp.lalug.org/morgan ]



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []