Comments - Authentication Plugin - PAM

9 years, 4 months ago Hartmut Holzgraefe

Well, the "can only check the users own password unless invoked by root" limitation is there for a reason:

as unix_chkpwd is a local binary and not a service it can be used to perform brute force dictionary attacks against /etc/shadow without a need to have read access to the shadow file otherwise ...

Restricting access to this for root isn't necessary as root can read the shadow file (and other things like changing user passwords) anyway ...

But for any other user starting unix_chkpwd extra care is taken that only the password of this single user can be cracked this way (again not that much harm with this as an attacker must somehow gained access to that user account already anyway)

Any shadow entry for other users are still hidden by the inner working of unix_chkpwd

(adding some comments on MDEV-7032, too ..)

 
9 years, 4 months ago Hartmut Holzgraefe

unix_chkpwd does throttle on wrong credentials being passed in, but that only helps if it is part of a service toolchain as it is with pam_unix

when called directly an attacker doesn't have to wait for the 10s penalty after giving a wrong password but can just start new unix_chkpwd processes without anything putting artificial limits on the number of checks per time unit ...

 
Content reproduced on this site is the property of its respective owners, and this content is not reviewed in advance by MariaDB. The views, information and opinions expressed by this content do not necessarily represent those of MariaDB or any other party.