Pam module leaks information
Darren Tucker
dtucker at zip.com.au
Tue Jul 19 00:21:35 EST 2005
Senthil Kumar wrote:
> Darren wrote:
>> That said, it sounds like your module is the source of the timing
>> discrepancy. Does it behave the same way with other PAM apps?
>
> When I test this module with telnet with valid password entered they
> close the conn.
That's a bit suspicious, are they checking the PAM service name or
something? Or is it password -> delay -> close connection?
> With invalid passwd they prompt for password after some
> delay. The same behaviour happens for password auth. with sshd. With
> challengeresponse, for valid password it return quickly to next prompt
> and with invalid password it took some time.
It's possible that your module is stashing something using pam_set_data
and then inserting the delay and failing out during the account phase.
It's pretty hard to tell without looking at the module's code.
I added a timestamp option (-v) to my PAM test harness, this may help
show where the delays are ocurring:
http://www.zip.com.au/~dtucker/patches/#pamtest
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list