pam module that allows users to write their own configuration

Fri May 23 15:28:47 UTC 2008

Thorsten Kukuk wrote:
> On Fri, May 23, Frankie Boy wrote:
>
>   
>> On Fri, May 23, Thorsten Kukuk wrote:
>>
>>     
>>> On Fri, May 23, Frankie Boy wrote:
>>>
>>>       
>>>> Hello!
>>>>
>>>> Me and my friend started to develop a PAM-module which moves the 
>>>> configuration-process responsibility from system administrator to system 
>>>> users.
>>>> Every system user is able to configure his own pam-modules stack for 
>>>> authentication.
>>>>         
>>> Hm, isn't that a big security risk? This would allow an user
>>> to configure a very weak authentication schema, which allows
>>> hacker to crack this account very fast ...
>>>
>>> Thorsten
>>>       
>> Thanks for your reply,
>>
>> Yes, there is a possibility to create weak authentication scheme,
>> but it will allow hacker to crack only the account of a user who created 
>> this schema!
>>     
>
> That's more than enough, for example to misuse the account for sending
> out thousands of SPAM mail.
>
>   
We realize that, but I personally believe that this is kind of a system 
bug and not the authentication process.
In a system with 200 users for ex, someone might feel offended with 
system administrator and start to send spam by himself.

I know that there are a lot more security holes available to system 
users that available to outside hackers, but i believe that there 
shouldn't be any of them from both sides.
This might seem a little naive but i think there should be no difference 
to system is the user really the user himself or is any hacker log in as 
him, system shouldn't allow any harmfully action in both cases.

When users will start to send spam we know who is guilty (the user 
himself),
but when hacker will crack into his account and he will mess something,
we can also say that the user is guilty because he set himself wrong 
authentication scheme :D.
And now it is only the user risk :D

>> Please note that in a system that use passwords to verify users, user might 
>> for example set password same as his user name or for example send his 
>> password to someone.
>>     
>
> But then the admin did not setup the PAM stack correct ;-)
> There are more than enough modules to make sure, that the user
> always chooses a strong password.
>
>   Thorsten
>
>   

Yes, maybe this was not a good example,
but i just wanted to say that if someone wants to give his privileges to 
hackers he can do this,
difference is that with our module he can do this more in purposely.
This is maybe a big minus of our module, but as i said even when the 
module is installed
user don't have to use it ant it is his call and his responsibility.

I know our conception is little risky, but i hope it is worth developing :)

best regards, Franciszek Wawrzak