[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Including pam_faildelay module in PAM distribution/possible security problem

From: Bjoern Voigt <bjoern cs tu-berlin de>
To: Pluggable Authentication Modules <pam-list redhat com>
Cc: Thorsten Kukuk <kukuk suse de>
Subject: Re: Including pam_faildelay module in PAM distribution/possible security problem
Date: Sun, 12 Nov 2006 22:40:21 +0100

Hello!

Thorsten Kukuk wrote:

On Sun, Oct 22, Bjoern Voigt wrote:
Hello!
Since long time I miss support for PAM's pam_fail_delay() function incommon Linux applications. For instance, OpenSSH and SUDO don't supportfail delay without special patches.
Something I should mention here: pam_fail_delay() has a huge drawback/
security problem:

Since libpam is sleeping here, the application has no chance to log
the failed authentication attemp.

Depending on the application, you can abort the application with
Ctrl-C while it is inside of the delay function. As result, there
will never be a syslog entry about the failed login attemp.
We had some time (years?) ago the security problem that attackercould use some applications for brute force attacks by abortingthem during the delay, because the following happend:
- authentication fails
- sleep()
- syslog()

This was changed to
- authentication fails
- syslog ()
- sleep ()


With pam_fail_delay, you will always have sleep before syslog, this is
not changeable.

And I have no good idea how to make sure that the libpam sleep will
not be aborted.

Ok, I see the problem. I also don't have a complete solution for thisproblems. But may be we find a good solution together. My comments:


  1. Not all apps can be canceled with Control-C. Especially the server
     applications should not be affected. Console programs sometimes
     avoid this situation itself (such programs like "login").
  2. If the application does not log the failure, the admin can look
     for authentication failures in PAM's syslog entries.
  3. I don't like the hardcoded "sleep" function very much. This is
     especially problematic within GUI programs. A GUI program can not
     react events if it wait's for PAM. Ideally an application could
     register a custom wait/sleep callback function. Unfortunately such
     a new callback would not help to secure unmodified programs.

Greetings,
Björn

Follow-Ups:
- Re: Including pam_faildelay module in PAM distribution/possible security problem
  - From: Bjoern Voigt

References:
- Re: Including pam_faildelay module in PAM distribution/possible security problem
  - From: Thorsten Kukuk

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]