pam_unix.so and unix_chkpw setgid - does it work for regular users?

Wolfgang Draxinger Wolfgang.Draxinger at physik.uni-muenchen.de
Thu Aug 2 22:53:52 UTC 2012


On Thu, 2 Aug 2012 12:47:36 -0700
Steve Langasek <vorlon at debian.org> wrote:

> It's so that a regular user can *self* authenticate.  Allowing users
> to call this setgid helper directly for other accounts would let them
> use it for brute forcing of passwords.  So no, what you're asking for
> is disallowed by design.

Well, how about making brute forcing passwords hard by using a hash
function designed for the use with passwords like bcrypt. That way all
the user did was wasting his CPU cycles without getting close to
anything.

I do understand the motivation for preventing a user to use unix_chkpw
for brute forcing. But what does prevent said user from using `ssh
localhost` for this? Well, the increasing retry delay, maybe a disallow
for localhost (erm...). But one could also add a usleep(100000) after a
negative result, and as such slowing down a brute force significantly.


Wolfgang
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pam-list/attachments/20120803/6dc62a20/attachment.sig>


More information about the Pam-list mailing list