On Thu, 2 Aug 2012 12:47:36 -0700 Steve Langasek <vorlon@xxxxxxxxxx> wrote: > It's so that a regular user can *self* authenticate. Allowing users > to call this setgid helper directly for other accounts would let them > use it for brute forcing of passwords. So no, what you're asking for > is disallowed by design. Well, how about making brute forcing passwords hard by using a hash function designed for the use with passwords like bcrypt. That way all the user did was wasting his CPU cycles without getting close to anything. I do understand the motivation for preventing a user to use unix_chkpw for brute forcing. But what does prevent said user from using `ssh localhost` for this? Well, the increasing retry delay, maybe a disallow for localhost (erm...). But one could also add a usleep(100000) after a negative result, and as such slowing down a brute force significantly. Wolfgang
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
