oss-sec mailing list archives
Re: Linux-PAM pam_unix/unix_chkpwd is fail-open
From: Daniel Cegiełka <daniel.cegielka () gmail com>
Date: Wed, 5 Mar 2014 17:30:53 +0100
2014-03-04 21:54 GMT+01:00 Solar Designer <solar () openwall com>:
Someone might want to patch this issue in Linux-PAM. Alexander
Hi Alexander, I know it's not realistic, but it may be easier to go to the OpenPAM. The code is much smaller and easier to audit (and tcb works with OpenPAM). OpenBSD is doing well with the BSD auth and gain the same as with PAM (plugins via /usr/libexec/auth/*). BSD auth is only three C core files: http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gen/auth_subr.c?rev=1.39;content-type=text%2Fplain http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gen/authenticate.c?rev=1.20;content-type=text%2Fplain http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gen/login_cap.c?rev=1.29;content-type=text%2Fplain So it might be a better 'patch' than bloated Linux-PAM. btw. I'm thinking about porting BSD auth API to Linux/tcb. Daniel
Current thread:
- Linux-PAM pam_unix/unix_chkpwd is fail-open Solar Designer (Mar 04)
- Re: Linux-PAM pam_unix/unix_chkpwd is fail-open Daniel Cegiełka (Mar 05)
- Re: Linux-PAM pam_unix/unix_chkpwd is fail-open cve-assign (Mar 07)
- Re: Linux-PAM pam_unix/unix_chkpwd is fail-open Solar Designer (Mar 07)