Re: pam 1.6.1-2 breaks sudo password

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

Are you sure you're not just hitting the new(old at this point)
idiotic default of always failing after X failed attempts in Y time?
That would mean you mistyped the password a few times, but afterwards
it would not matter even if you typed it correctly.
Hello. This is a response not only to the above message, but also to many down in this thread.
If one has a strong passphrase configured, understands basic security, and happens to be on their local home computer, faillock may be configured to use different options. For example I have it ~turned off altogether⁽¹⁾ and so do many people in a similar situation.
The defaults are meant to provide sane security in the baseline case. Not only in faillock, but with everything. One installs a package, it doesn’t do something risky by default. Sounds reasonable, doesn’t it? And in the baseline case a 15 minutes lock after 3 failed logins in 10 minutes provides between a few hours to a day delay for the adversary, giving the sys/net admin enough time to detect and react. A 15 minute lock is also reasonably tamper-evident for the baseline case user.
You may dislike UX decision, but you should get used to it: because now this becomes common best practice, in particular for network-facing services. The primary reason is avoiding side channel attacks, leading to the basic secure implementation not being able to distinguish between these two cases. Even where it could be possible, per WSTG-IDNT-04 it shouldn’t be possible to make such distinction. That’s not only a security feature, but also a user privacy improvement.
Please be aware, that in the model the message goes not to an authorized user. Obviously it can’t, given the authorization has failed. Which means the recipient is an actor not permitted to receive this information. The always-authorized actor is the administrator and they have access to the detailed cause: it’s in the logs.
Of course one may invent an edge case, where this isn’t needed. But mere existence of such cases is not really relevant, when they are not representative of the entire landscape. 

  So please consider changing tone a bit; cheers.
____
⁽¹⁾ 999 attempts, 1 s lock.
[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux