pam_tally and fail_locktime
Benjamin Donnachie
benjamin at pythagoras.no-ip.org
Wed Oct 5 16:21:47 UTC 2005
Philip Yarra <philip.yarra at internode.on.net> wrote:
>> The only slight problem is that pam_abl will only run as root but I also
>> wanted to use it to protect httpd and php authentications which run as
>> apache - so I removed the root check from the source code and made the
>> database files world accessible.
>Hmmm... I think your approach makes sense. The group idea is good.
The only problem with that is pam authentication under php runs as the
current user - so, without pam_abl, I could potentially have a user on the
system launch an attack but not be blocked. Thus, I think I'm stuck with
world accessible files for now (Not that I like it though).
>> I'd recommend that you give pam_abl a go! If you need a hand to get it
>> working with services that authenticate while non-root, let me know and
>> I'll send you details of my modification.
>Have you considered contributing it as a patch?
I can do - it's really nothing as I only commented three or so lines out.
>Actually, my case is a bit easier, the only service I offer with auth is
>SSH, and at present I've simply firewalled off everything except 2 IPs.
That definitely makes things much easier! :-) Thinking about it, have you
considered public/private key authentication? I use it on my system to
restrict shell access - everyone with a password is just left with file
transfers using scponlyc.
>I really prefer to block access at the network level, so I've been looking
>at what would be involved in using a libipq app to look up allowed dynamic
>DNS host names (yeah, I'm on no-ip.org too :-) ) for incoming SYN packets
>and see if they currently resolve to the the incoming IP address. If so,
>allow the TCP connection, else DROP. That, combined with pam_abl would be
>pretty formidable.
Could that be vulnerable to password attacks on no-ip or even DNS poisoning?
I was initially attracted to the idea of combining pam_abl with blocking at
the network level, but I now feel that I would prefer the attacks to get
through to pam_abl - at least then the attacker will have no idea that they
are blocked and if they stumble upon the right password it will just
(hopefully) be refused by pam_abl and they will continue searching!
>Now, spare time? That's the issue. I'll give it a go when I can.
Tell me about it! :-/
>I think the root-only auth will be okay. You made me think though... your
>situation is analogous to shadow passwords in some ways. Would suid root
>code be a way to handle this need to auth non-root users?
I thought about that, but I'm not sure whether I can do it within
modules... It's been a long while since I did any serious C programming
and I've got a fair bit of reading up to do yet... I'm making my way
through the pam programmers guide and will then dust off my linux
programming guide!
Ah-ha! I've just realised that, as you pointed out, is exactly what
happens with the shadow password so it is definitely possible! Hopefully
all will become clear soon...
--
Benjamin
benjamin at pythagoras.no-ip.org
More information about the Pam-list
mailing list