[wplug] [Fwd: RHEL Linux PAM 3 second failed auth delay]
Brian A. Seklecki
lavalamp at spiritual-machines.org
Wed Aug 29 15:05:27 EDT 2007
All:
Here's a useful little tip to disable that extremely annoying and
entirely useful "tarpit" feature (see below) that RHEL-based distros
feature in their default PAM configurations. Failed login retrys are
delayed by 3 seconds.
And just a few thoughts on why this feature (alone) is useless:
-) It's not used in conjunction with any other policy/mechanism to
prevent brute-force attacks (like auto-disabling of accounts based
on a failed login threshold)
-) If bad people can get the sshd(8) TCP socket open, they will
eventually find a way in. Moreover, your network security posture is
weak and you've poorly designed it. One should restrict access
using 1) Perimeter firewalls & private subnets 2) Host-based
firewalls 3) TCP socket bind(2) restrictions in sshd_config(5).
-) If you're not using strong authentication infrastructure, people are
going to choose weak passwords to avoid the burden of typing the
password wrong and incurring the delay.
Thus Redhat has effectively reduced the security of the system here.
-) Most linux distros ship with sshd_config(5) allowing root to log in
via sshd(8), circumventing the POSIX security model entirely
-) Most linux distros ship with ssh_config with StrictHostKeyChecking=no
Anyway, lunch (I like to get my Redhat bashing in before)
~BAS
> Subject: [issue489] RHEL Linux PAM 3 second failed auth delay
> Date: Wed, 29 Aug 2007 18:23:41 -0000
>
> Brian Seklecki <bseklecki at collaborativefusion.com> added the comment:
>
> Found it:
>
> http://linux.die.net/man/3/pam_fail_delay
>
> To disable globally:
> /etc/pam.d/system-auth:
>
> -auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
> +auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
> nodelay debug
>
>
> ~BAS
>
> ----------
> status: unread -> in-progress
>
> _______________________________________________________________________________________________
> Network Operations issues/TODO <issue_tracker at collaborativefusion.com>
> <https://intranet.priv.collaborativefusion.com/cgi-bin/roundup.cgi/CFTracker-Sysadmin/issue489>
> _______________________________________________________________________________________________
More information about the wplug
mailing list