Re: Bright idea...

[Aleph One <aleph1 dfw net>]

On Mon, 24 Jun 1996, Michael K. Johnson wrote:

> There's not much point in duplicating code across every module.  It seems
> sensible to me to use modules as modules...
> 
> Try this instead:
> 
> rexec   auth     required       /usr/lib/security/pam_unix_auth.so
> rexec   auth     optional       /usr/lib/security/pam_delay.so  200ms
> rexec   auth     required       /usr/lib/security/pam_other_auth.so
> rexec   auth     optional       /usr/lib/security/pam_delay.so  200ms
> 
> It will (assuming someone writes the module for you) give you the
> behavior you want without the duplicated code.  I know waiting isn't
> hard, but adding code to check the argument, and having the code know
> how to parse different time specifications, etc., is a solid argument
> for keeping it separate.

The problem with this approach is that the pam_delay module does not know
how long the other modules took and therefore cant calculate how long to
delay so that all of the chain of modules always takes the safe amount
of time and gives away information that might be usefull of an intruder.
(For example the pam_unix module may take less time if an account does
not exists since it does not need to check the password so even if
the pam_delay takes 200ms the whole chain will take less time if the
account does not exists.) A way around this is to have a pam_delay
do the delay thing, but implement on each module a function to make
sure it always uses the same time quantum.

> michaelkjohnson
> 
> "Ever wonder why the SAME PEOPLE make up ALL the conspiracy theories?"
> 
> 
> --
> To unsubscribe: mail -s unsubscribe pam-list-request@redhat.com < /dev/null
> 

Aleph One / aleph1@dfw.net
http://underground.org/
KeyID 1024/948FD6B5 
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01