[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: passwd check from unpriliged programs (pkgsrc/pam-pwauth_suid)
Joerg Sonnenberger(joerg%britannica.bec.de@localhost) said 2008.06.25 20:52:29
> On Wed, Jun 25, 2008 at 08:47:49PM +0200, Matthias Drochner wrote:
> > The program can only be used to check the passwd of the
> > user it was started as. Slowing it down would make it
> > more complex, might even require some signal masking.
> One simple idea is to just wait for e.g. 20 millisecond before trying to
> validate the password the first time. It would still allow dictionary
> attacks, but it isn't slow enough that a normal user will notice.
How about waiting for a longer time after 3 failed tries?
Main Index |
Thread Index |