[wplug] [Fwd: RHEL Linux PAM 3 second failed auth delay]

Brian A. Seklecki lavalamp at spiritual-machines.org
Wed Aug 29 15:05:27 EDT 2007 

All:

Here's a useful little tip to disable that extremely annoying and
entirely useful "tarpit" feature (see below) that RHEL-based distros
feature in their default PAM configurations. Failed login retrys are
delayed by 3 seconds.

And just a few thoughts on why this feature (alone) is useless:

-) It's not used in conjunction with any other policy/mechanism to
   prevent brute-force attacks (like auto-disabling of accounts based
   on a failed login threshold)

-) If bad people can get the sshd(8) TCP socket open, they will
   eventually find a way in.  Moreover, your network security posture is
   weak and you've poorly designed it.  One should restrict access
   using 1) Perimeter firewalls & private subnets 2) Host-based
   firewalls 3) TCP socket bind(2) restrictions in sshd_config(5).

-) If you're not using strong authentication infrastructure, people are
   going to choose  weak passwords to avoid the burden of typing the
   password wrong and incurring the delay.
   
   Thus Redhat has effectively reduced the security of the system here.

-) Most linux distros ship with sshd_config(5) allowing root to log in
   via sshd(8), circumventing the POSIX security model entirely

-) Most linux distros ship with ssh_config with StrictHostKeyChecking=no

Anyway, lunch (I like to get my Redhat bashing in before)

~BAS

> Subject: [issue489] RHEL Linux PAM 3 second failed auth delay
> Date: Wed, 29 Aug 2007 18:23:41 -0000
> 
> Brian Seklecki <bseklecki at collaborativefusion.com> added the comment:
> 
> Found it:
> 
> http://linux.die.net/man/3/pam_fail_delay
> 
> To disable globally:
> /etc/pam.d/system-auth:
> 
> -auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok 
> +auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
> nodelay debug
> 
> 
> ~BAS
> 
> ----------
> status: unread -> in-progress
> 
> _______________________________________________________________________________________________
> Network Operations issues/TODO <issue_tracker at collaborativefusion.com>
> <https://intranet.priv.collaborativefusion.com/cgi-bin/roundup.cgi/CFTracker-Sysadmin/issue489>
> _______________________________________________________________________________________________

More information about the wplug mailing list