oss-sec mailing list archives

Re: Linux-PAM pam_unix/unix_chkpwd is fail-open

From: Daniel Cegiełka <daniel.cegielka () gmail com>
Date: Wed, 5 Mar 2014 17:30:53 +0100

2014-03-04 21:54 GMT+01:00 Solar Designer <solar () openwall com>:

Someone might want to patch this issue in Linux-PAM.

Alexander


Hi Alexander,

I know it's not realistic, but it may be easier to go to the OpenPAM.
The code is much smaller and easier to audit (and tcb works with
OpenPAM). OpenBSD is doing well with the BSD auth and gain the same as
with PAM (plugins via /usr/libexec/auth/*). BSD auth is only three C
core files:

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gen/auth_subr.c?rev=1.39;content-type=text%2Fplain
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gen/authenticate.c?rev=1.20;content-type=text%2Fplain
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gen/login_cap.c?rev=1.29;content-type=text%2Fplain

So it might be a better 'patch' than bloated Linux-PAM.

btw. I'm thinking about porting BSD auth API to Linux/tcb.

Daniel

Current thread:

Linux-PAM pam_unix/unix_chkpwd is fail-open Solar Designer (Mar 04)
- Re: Linux-PAM pam_unix/unix_chkpwd is fail-open Daniel Cegiełka (Mar 05)
- Re: Linux-PAM pam_unix/unix_chkpwd is fail-open cve-assign (Mar 07)
  - Re: Linux-PAM pam_unix/unix_chkpwd is fail-open Solar Designer (Mar 07)