On Monday 10 September 2001 18:26, Christopher Audley wrote:
> saslauthd is an evolution of pwcheck available with the 1.5.27 and
> 2.0.x versions of the sasl library (available from CVS). Saslauthd
> basically takes the core of pwcheck and adds forking so that each
> request is handled by a different subprocess, and password checking
> logic modules have been added for more methods. Its a start in the
> right direction, but much more needs to be done. For instance, the
> forking of processes is done after an accept, so on servers that see
> a light load, saslauthd will actually appear to be slower than
> pwcheck. There is also no limit on how many processes saslauthd will
> fork, so it introduces new possibilities for DOS attacks.
Thanks. Does it slow down retries in the case of unsuccessful attempts?
Otherwise, it would be as vulnerable to password guessing as pwcheck
is. That weakness of pwcheck makes it practically useless: access to
its port is comparable to read access to /etc/shadow and must be
restricted accordingly. That makes pwcheck redundant.
On the other hand, if forking is unlimited then a user might use
saslauthd to guess numerous passwords in parallel. Consequently,
slowing down retries may not be enough. Could you explain how saslauthd
addresses these issues?
Again, thanks.
Chris
