Re: passwd check from unpriliged programs (pkgsrc/pam-pwauth_suid)

To: tech-security%netbsd.org@localhost
Subject: Re: passwd check from unpriliged programs (pkgsrc/pam-pwauth_suid)
From: Wouter Klouwen <dublet%acm.org@localhost>
Date: Thu, 26 Jun 2008 13:21:46 +0000

Joerg Sonnenberger(joerg%britannica.bec.de@localhost) said 2008.06.25 20:52:29 
+0000:
> On Wed, Jun 25, 2008 at 08:47:49PM +0200, Matthias Drochner wrote:
> > The program can only be used to check the passwd of the
> > user it was started as. Slowing it down would make it
> > more complex, might even require some signal masking.
> 
> One simple idea is to just wait for e.g. 20 millisecond before trying to
> validate the password the first time. It would still allow dictionary
> attacks, but it isn't slow enough that a normal user will notice.

How about waiting for a longer time after 3 failed tries?

> Joerg
        --Wouter

References:
- passwd check from unpriliged programs (pkgsrc/pam-pwauth_suid)
  - From: Matthias Drochner
- Re: passwd check from unpriliged programs (pkgsrc/pam-pwauth_suid)
  - From: Joerg Sonnenberger

Prev by Date: Re: passwd check from unpriliged programs (pkgsrc/pam-pwauth_suid)
Next by Date: Re: Going LDAP #2
Previous by Thread: Re: passwd check from unpriliged programs (pkgsrc/pam-pwauth_suid)
Next by Thread: Re: passwd check from unpriliged programs (pkgsrc/pam-pwauth_suid)
Indexes:

Home | Main Index | Thread Index | Old Index