Re: Re: pam module that allows users to write their own configuration

[Thorsten Kukuk <kukuk suse de>]

On Fri, May 23, Frankie Boy wrote:

> On Fri, May 23, Thorsten Kukuk wrote:
> 
> >On Fri, May 23, Frankie Boy wrote:
> >
> >>Hello!
> >>
> >>Me and my friend started to develop a PAM-module which moves the 
> >>configuration-process responsibility from system administrator to system 
> >>users.
> >>Every system user is able to configure his own pam-modules stack for 
> >>authentication.
> >
> >Hm, isn't that a big security risk? This would allow an user
> >to configure a very weak authentication schema, which allows
> >hacker to crack this account very fast ...
> >
> > Thorsten
> 
> Thanks for your reply,
> 
> Yes, there is a possibility to create weak authentication scheme,
> but it will allow hacker to crack only the account of a user who created 
> this schema!

That's more than enough, for example to misuse the account for sending
out thousands of SPAM mail.
 
> Please note that in a system that use passwords to verify users, user might 
> for example set password same as his user name or for example send his 
> password to someone.

But then the admin did not setup the PAM stack correct ;-)
There are more than enough modules to make sure, that the user
always chooses a strong password.

  Thorsten

-- 
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Markus Rex, HRB 16746 (AG Nuernberg)