[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam module that allows users to write their own configuration



Thorsten Kukuk wrote:
On Fri, May 23, Frankie Boy wrote:

On Fri, May 23, Thorsten Kukuk wrote:

On Fri, May 23, Frankie Boy wrote:

Hello!

Me and my friend started to develop a PAM-module which moves the configuration-process responsibility from system administrator to system users. Every system user is able to configure his own pam-modules stack for authentication.
Hm, isn't that a big security risk? This would allow an user
to configure a very weak authentication schema, which allows
hacker to crack this account very fast ...

Thorsten
Thanks for your reply,

Yes, there is a possibility to create weak authentication scheme,
but it will allow hacker to crack only the account of a user who created this schema!

That's more than enough, for example to misuse the account for sending
out thousands of SPAM mail.

We realize that, but I personally believe that this is kind of a system bug and not the authentication process. In a system with 200 users for ex, someone might feel offended with system administrator and start to send spam by himself.

I know that there are a lot more security holes available to system users that available to outside hackers, but i believe that there shouldn't be any of them from both sides. This might seem a little naive but i think there should be no difference to system is the user really the user himself or is any hacker log in as him, system shouldn't allow any harmfully action in both cases.

When users will start to send spam we know who is guilty (the user himself),
but when hacker will crack into his account and he will mess something,
we can also say that the user is guilty because he set himself wrong authentication scheme :D.
And now it is only the user risk :D


Please note that in a system that use passwords to verify users, user might for example set password same as his user name or for example send his password to someone.

But then the admin did not setup the PAM stack correct ;-)
There are more than enough modules to make sure, that the user
always chooses a strong password.

  Thorsten


Yes, maybe this was not a good example,
but i just wanted to say that if someone wants to give his privileges to hackers he can do this,
difference is that with our module he can do this more in purposely.
This is maybe a big minus of our module, but as i said even when the module is installed
user don't have to use it ant it is his call and his responsibility.


I know our conception is little risky, but i hope it is worth developing :)

best regards, Franciszek Wawrzak




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]