Thorsten Kukuk wrote:
On Fri, May 23, Frankie Boy wrote:
On Fri, May 23, Thorsten Kukuk wrote:
On Fri, May 23, Frankie Boy wrote:
Hello!
Me and my friend started to develop a PAM-module which moves the
configuration-process responsibility from system administrator to system
users.
Every system user is able to configure his own pam-modules stack for
authentication.
Hm, isn't that a big security risk? This would allow an user
to configure a very weak authentication schema, which allows
hacker to crack this account very fast ...
Thorsten
Thanks for your reply,
Yes, there is a possibility to create weak authentication scheme,
but it will allow hacker to crack only the account of a user who created
this schema!
That's more than enough, for example to misuse the account for sending
out thousands of SPAM mail.
We realize that, but I personally believe that this is kind of a system
bug and not the authentication process.
In a system with 200 users for ex, someone might feel offended with
system administrator and start to send spam by himself.
I know that there are a lot more security holes available to system
users that available to outside hackers, but i believe that there
shouldn't be any of them from both sides.
This might seem a little naive but i think there should be no difference
to system is the user really the user himself or is any hacker log in as
him, system shouldn't allow any harmfully action in both cases.
When users will start to send spam we know who is guilty (the user
himself),
but when hacker will crack into his account and he will mess something,
we can also say that the user is guilty because he set himself wrong
authentication scheme :D.
And now it is only the user risk :D
Please note that in a system that use passwords to verify users, user might
for example set password same as his user name or for example send his
password to someone.
But then the admin did not setup the PAM stack correct ;-)
There are more than enough modules to make sure, that the user
always chooses a strong password.
Thorsten
Yes, maybe this was not a good example,
but i just wanted to say that if someone wants to give his privileges to
hackers he can do this,
difference is that with our module he can do this more in purposely.
This is maybe a big minus of our module, but as i said even when the
module is installed
user don't have to use it ant it is his call and his responsibility.
I know our conception is little risky, but i hope it is worth developing :)
best regards, Franciszek Wawrzak
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
