Pam module leaks information

Darren Tucker dtucker at
Tue Jul 19 00:21:35 EST 2005

Senthil Kumar wrote:
> Darren wrote:
>> That said, it sounds like your module is the source of the timing
>> discrepancy.  Does it behave the same way with other PAM apps?
> When I test this module with telnet with valid password entered they 
> close the conn.

That's a bit suspicious, are they checking the PAM service name or 
something?  Or is it password -> delay -> close connection?

> With invalid passwd they prompt for password after some 
> delay. The same behaviour happens for password auth. with sshd. With 
> challengeresponse, for valid password it return quickly to next prompt 
> and with invalid password it took some time.

It's possible that your module is stashing something using pam_set_data 
and then inserting the delay and failing out during the account phase. 
It's pretty hard to tell without looking at the module's code.

I added a timestamp option (-v) to my PAM test harness, this may help 
show where the delays are ocurring:

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list