On Fri, Dec 01, 2006 at 05:33:21PM +0100, Matthias Drochner wrote:
> 
> > any exploit in a normal user program can be used to get the hash for
> > offline attacks
> 
> Yes, I was aware of this. It is as easy as calling getent(1).
> But an implementation of a similar mechanism at PAM level
> would have the problem that the plaintext password needs
> to be passed to the suid helper.
> And an exploit in a user program can as well do some
> syscall tracing against the unprivileged client program.

It has to be running for that though when the user enters the password.
Well, you are lost for that anyway as a program can intercept X11
events. My point is to fix the problem in the least intrusive way -- and
that's to provide a PAM module with suid backend which allows validation
of the current user's password.

Joerg