I'd call that a bug that you should reoprt to the pam_tally author - this
case, you should file a bugzilla report with Red Hat since they distribute
the routine as part of the pam package. A security policy implemented
correctly should not allow a user to gather information about correct or
incorrect passwords or usernames during a lockout phase.
.../Ed
Ed Wilts
Mounds View, MN, USA
mailto:[EMAIL PROTECTED]
----- Original Message -----
From: "Andreas Hansson" <[EMAIL PROTECTED]>
> > A much better solution is that which is implemented by default in VMS -
> lock
> > the account for a random period of time - usually around 5 minutes - but
> > don't lock it permanently. When the account is locked, accept all
> passwords,
> > even the correct one, and return a standard user authorization
failiure -
> the
> > same message, no matter if the account is locked, has an incorrect
> username,
> > or an incorrect password. I do not know how this can be in Linux today,
> if at
> > all.
>
> I'm using pam_tally which lets you specify that accounts will be locked,
but
> the problem is that when an account is locked, the wrong password will
cause
> a delay of a second or two before the error is printed while the right
> password will cause no delay before printing the error. Thus you can
> brute-force the password while the account is locked and then use it after
> the account unlocks itself.
>
> Andreas
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
