Re: Bright idea...

[Aleph One <aleph1 dfw net>]

On Mon, 24 Jun 1996, Michael K. Johnson wrote:

> What does everyone think of an auth module which simply delays for an
> amount of time determined by an option to the module?
> 
> I'm thinking of rexecd.  I'm told that some people consider it a security
> hole because it allows faster password checking than most other system
> entry points.  A line like this:
> 
> rexec   auth     optional       /usr/lib/security/pam_delay.so  200ms
> 
> would eliminate the problem, and make the whole thing configurable by
> the system administrator.  That could be useful in a lot of other
> paranoid sitations, too...

Interesting. I would argue that such an option should be included in each
module instead of having a separe module. Not only should the module delay
a certain amount of time, it should do so even if computing the password.
The time quantum spent on the module should always be the same so no 
information is leaked out (I belive this was discussed in the cypherpunks
maling list with regards to Netscape software). I belive Matt Blaze made
a library that contained funtions that allowed you to always wait the same
quatum.

> Andrew, is that something you could code in ten seconds with your
> eyes tied behind your back?  :-)
> 
> If no one else does it, I'll probably eventually get to it, but it
> might take a while because I'm currently pamifying apps.
> 
> michaelkjohnson
> 
> "Ever wonder why the SAME PEOPLE make up ALL the conspiracy theories?"
> 
> 
> --
> To unsubscribe: mail -s unsubscribe pam-list-request@redhat.com < /dev/null
> 

Aleph One / aleph1@dfw.net
http://underground.org/
KeyID 1024/948FD6B5 
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01