SSHD with PAM question

Ben Lindstrom mouring at etoh.eviladmin.org
Fri Sep 24 06:11:25 EST 2004



On Thu, 23 Sep 2004, Bob Bramwell wrote:

> OK, I'll buy that.  However, fixing getpwent may not be practical on a system
> where I would like this to work, so I guess I have to do it right, or not do it.
>   Which brings up another question:  if I can't do anything useful when
> getpwent() doesn't find the user in question, why doesn't sshd simply abandon
> all attempts at authentication at that point?  Perhaps it should, in which case

By abandoning the attempt too soon you give away to timing attacks.  Where
you know if the user does exist it takes an average of X seconds, and if
you abandon things too quickly the results are less then X seconds then
you can safely bet the account doesn't exist and therefor should move on
to the next fake user name.

As for getpwent() and friends.  As stated there should be a NSS support do
such things.  Why PAM group hasn't built in NSS support so that it can be
consist accross the board in how it replies to applications has always
been beyond me.

- Ben




More information about the openssh-unix-dev mailing list