[wplug] False or useless security -- WAS: RHEL Linux PAM 3 second failed auth delay

Bryan J. Smith thebs413 at yahoo.com
Wed Aug 29 15:37:55 EDT 2007 

"Brian A. Seklecki" <lavalamp at spiritual-machines.org> wrote:
> Here's a useful little tip to disable that extremely annoying and
> entirely useful "tarpit" feature (see below) that RHEL-based
> distros feature in their default PAM configurations.
> Failed login retrys are delayed by 3 seconds.

There is a lot of "legacy momentum" in Red Hat distributions.  Some
of that is not ideal or should not be followed forward, but it is
understandable.  This is just one of them.

As always, Fedora takes recommendations and feature enhancements in
Bugzilla, and they are _always_ considered and responded to.  If
something really "chaps your @$$," Fedora wants to know about it, and
Red Hat will very like respect the Fedora Project's decision in the
next RHEL release.

They probably haven't considered it because no one has filed a
Bugzilla report.  or even something as simple as this may not have
changed because of some, even if minor regression -- and until they
get the complaints in Bugzilla, they may not change it.

> And just a few thoughts on why this feature (alone) is useless:
> -) It's not used in conjunction with any other policy/mechanism to
>    prevent brute-force attacks (like auto-disabling of accounts
> based on a failed login threshold)

But that is easily enabled either as a default or at account
creation-time.  In fact, the docs talk about this.

But yes, I agree, it's rather "half-baked" to do one without the
other, "as default."  Legacy at work here.

> -) If bad people can get the sshd(8) TCP socket open, they will
>    eventually find a way in.  Moreover, your network security
>    posture is weak and you've poorly designed it.  One should
>    restrict access using 1) Perimeter firewalls & private
>    subnets 2) Host-based firewalls 3) TCP socket bind(2)
>    restrictions in sshd_config(5).

Agreed, standard "defense-in-depth" mentality.

With Red Hat shipping SELinux (MAC/RBAC) enabled by default, I don't
know why they just don't "throw the hammer" on other things as well. 
That includes no SSH login as root by default, among other things. 
Doesn't make sense to do one without the other.

> -) If you're not using strong authentication infrastructure, people
> are going to choose weak passwords to avoid the burden of typing
> the password wrong and incurring the delay.

Er, I thought Red Hat does password strength checking, as do most
other PAM-enabled distros?  They just don't enforce it if the _root_
user is setting the password for a user (or itself).  There's an
obvious set of reasons for the latter, of course.

> Thus Redhat has effectively reduced the security of the system
> here.

Er, I'd have to disagree with you.  What they have is a number of
"false security" defaults, at least on their own.  No argument on
that.  But to say they have "reduced security," that's another story.

Frankly, I don't like shipping portmapper on by default.  This, among
other things, far bigger issues to complain about IMHO, but these are
_valid_ ones you bring up.

> -) Most linux distros ship with sshd_config(5) allowing root to log
> in via sshd(8), circumventing the POSIX security model entirely
> -) Most linux distros ship with ssh_config with
> StrictHostKeyChecking=no

As aforementioned.

> Anyway, lunch (I like to get my Redhat bashing in before)

There's a difference between "bashing" and offering "constructive
criticism."  I think you've done the latter quite well for the most
part.

I detailed my "litmus test" for this in a blog article in February
...  
"Open Source Solution Providers' Mission Statement"  
http://thebs413.blogspot.com/2007/02/open-source-solution-providers-mission.html
 

I think this qualifies as "constructive" and "appropriate" criticism.

A good example of "bashing" can be found in the comments of that very
article ...

  "I'm not overly enthusiastic about Ubuntu,
   and KDE well, it's %^$#&**^% IMHO."

But even that isn't crossing "Ethic," of which I have a more recent
blog article that attempts to address that ...
http://thebs413.blogspot.com/2007/08/open-source-solution-providers-code-of.html

In fact, critizing constructively to a peer professional, including a
distribution, is a very good Ethic.  And filling out a Bugzilla
report for an overhaul to such Fedora defaults would be an ideal way
to fulfill it.  If you don't have a Red Hat Bugzilla account, or
don't want to register, I'd be very interested in filing myself --
with as much detailed input as you can provide on where things should
be made "more consistent."



-- 
Bryan J. Smith   Professional, Technical Annoyance
b.j.smith at ieee.org    http://thebs413.blogspot.com
--------------------------------------------------
     Fission Power:  An Inconvenient Solution

More information about the wplug mailing list