tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: passwd check from unpriliged programs (pkgsrc/pam-pwauth_suid)



Joerg Sonnenberger(joerg%britannica.bec.de@localhost) said 2008.06.25 20:52:29 
+0000:
> On Wed, Jun 25, 2008 at 08:47:49PM +0200, Matthias Drochner wrote:
> > The program can only be used to check the passwd of the
> > user it was started as. Slowing it down would make it
> > more complex, might even require some signal masking.
> 
> One simple idea is to just wait for e.g. 20 millisecond before trying to
> validate the password the first time. It would still allow dictionary
> attacks, but it isn't slow enough that a normal user will notice.

How about waiting for a longer time after 3 failed tries?

> Joerg
        --Wouter


Home | Main Index | Thread Index | Old Index