Re: and unix_chkpw setgid - does it work for regular users?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Thu, 2 Aug 2012 12:47:36 -0700
Steve Langasek <vorlon@xxxxxxxxxx> wrote:

> It's so that a regular user can *self* authenticate.  Allowing users
> to call this setgid helper directly for other accounts would let them
> use it for brute forcing of passwords.  So no, what you're asking for
> is disallowed by design.

Well, how about making brute forcing passwords hard by using a hash
function designed for the use with passwords like bcrypt. That way all
the user did was wasting his CPU cycles without getting close to

I do understand the motivation for preventing a user to use unix_chkpw
for brute forcing. But what does prevent said user from using `ssh
localhost` for this? Well, the increasing retry delay, maybe a disallow
for localhost (erm...). But one could also add a usleep(100000) after a
negative result, and as such slowing down a brute force significantly.


Attachment: signature.asc
Description: PGP signature

Pam-list mailing list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux