> A much better solution is that which is implemented by default in VMS - lock > the account for a random period of time - usually around 5 minutes - but > don't lock it permanently. When the account is locked, accept all passwords, > even the correct one, and return a standard user authorization failiure - the > same message, no matter if the account is locked, has an incorrect username, > or an incorrect password. I do not know how this can be in Linux today, if at > all.
I'm using pam_tally which lets you specify that accounts will be locked, but the problem is that when an account is locked, the wrong password will cause a delay of a second or two before the error is printed while the right password will cause no delay before printing the error. Thus you can brute-force the password while the account is locked and then use it after the account unlocks itself. Andreas _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
