Re: passwd check from unpriliged programs (pkgsrc/pam-pwauth_suid)

[Joerg Sonnenberger <joerg%britannica.bec.de@localhost>]

On Wed, Jun 25, 2008 at 08:47:49PM +0200, Matthias Drochner wrote:
> The program can only be used to check the passwd of the
> user it was started as. Slowing it down would make it
> more complex, might even require some signal masking.

One simple idea is to just wait for e.g. 20 millisecond before trying to
validate the password the first time. It would still allow dictionary
attacks, but it isn't slow enough that a normal user will notice.

Joerg