summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorThorsten Kukuk <kukuk@thkukuk.de>2006-08-01 09:58:14 +0000
committerThorsten Kukuk <kukuk@thkukuk.de>2006-08-01 09:58:14 +0000
commit431e8c6747b4a4bb814457cd51f4a3c4fd1673a5 (patch)
tree082da78936220348db913d4d9b34763b27a48ba7
parent31c5402b292a1c76268221f570952c450755fd60 (diff)
Relevant BUGIDs:
Purpose of commit: bugfix Commit summary: --------------- 2006-08-01 Thorsten Kukuk <kukuk@thkukuk.de> * doc/man/pam_fail_delay.3.xml: Fix some Bugs and enhance rationale about when this function should be used and when not.
-rw-r--r--ChangeLog5
-rw-r--r--doc/man/pam_fail_delay.314
-rw-r--r--doc/man/pam_fail_delay.3.xml15
3 files changed, 21 insertions, 13 deletions
diff --git a/ChangeLog b/ChangeLog
index de30b6a0..339257d4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,10 @@
2006-08-01 Thorsten Kukuk <kukuk@thkukuk.de>
+ * doc/man/pam_fail_delay.3.xml: Fix some Bugs and enhance
+ rationale about when this function should be used and when not.
+
+2006-08-01 Thorsten Kukuk <kukuk@thkukuk.de>
+
* libpam/Makefile.am: Bump patchlevel of libpam.
* libpam/pam_dispatch.c (_pam_dispatch_aux): If [return=die]
or [return=bad] is used, don't return PAM_IGNORE. Based on
diff --git a/doc/man/pam_fail_delay.3 b/doc/man/pam_fail_delay.3
index f9a7e2d1..000276ed 100644
--- a/doc/man/pam_fail_delay.3
+++ b/doc/man/pam_fail_delay.3
@@ -1,11 +1,11 @@
.\" Title: pam_fail_delay
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\" Date: 06/27/2006
+.\" Date: 08/01/2006
.\" Manual: Linux\-PAM Manual
.\" Source: Linux\-PAM Manual
.\"
-.TH "PAM_FAIL_DELAY" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_FAIL_DELAY" "3" "08/01/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
@@ -37,13 +37,13 @@ all authentication modules have been called, but
\fIbefore\fR
control is returned to the service application.
.PP
-When using this function the application programmer should check if it is available with:
+When using this function the programmer should check if it is available with:
.sp
.RS 3n
.nf
-#ifdef PAM_FAIL_DELAY
+#ifdef HAVE_PAM_FAIL_DELAY
....
-#endif /* PAM_FAIL_DELAY */
+#endif /* HAVE_PAM_FAIL_DELAY */
.fi
.RE
@@ -73,7 +73,7 @@ that the application has associated with the current
\fIpamh\fR. This last value was set by the application when it called
\fBpam_start\fR(3)
or explicitly with
-\fBpam_set_item\fR(3). Note, if PAM_FAIL_DELAY is unset (or set to NULL), then no delay will be performed.
+\fBpam_set_item\fR(3). Note, if PAM_FAIL_DELAY item is unset (or set to NULL), then no delay will be performed.
.SH "RATIONALE"
.PP
It is often possible to attack an authentication scheme by exploiting the time it takes the scheme to deny access to an applicant user. In cases of
@@ -84,7 +84,7 @@ dictionary attack \-\- with an automated process, the attacker tries all possibl
\fIcovert channel\fR
of useful information.
.PP
-To minimize the effectiveness of such attacks, it is desirable to introduce a random delay in a failed authentication process.
+To minimize the effectiveness of such attacks, it is desirable to introduce a random delay in a failed authentication process. Preferable this value should be set by the application or a special PAM module. Standard PAM modules should not modify the delay unconditional.
.SH "EXAMPLE"
.PP
For example, a login application may require a failure delay of roughly 3 seconds. It will contain the following code:
diff --git a/doc/man/pam_fail_delay.3.xml b/doc/man/pam_fail_delay.3.xml
index 2cac066a..a101cf39 100644
--- a/doc/man/pam_fail_delay.3.xml
+++ b/doc/man/pam_fail_delay.3.xml
@@ -50,13 +50,13 @@
control is returned to the service application.
</para>
<para>
- When using this function the application programmer should check if
- it is available with:
+ When using this function the programmer should check if it is
+ available with:
</para>
<programlisting>
-#ifdef PAM_FAIL_DELAY
+#ifdef HAVE_PAM_FAIL_DELAY
....
-#endif /* PAM_FAIL_DELAY */
+#endif /* HAVE_PAM_FAIL_DELAY */
</programlisting>
<para>
@@ -93,7 +93,7 @@ void (*delay_fn)(int retval, unsigned usec_delay, void *appdata_ptr);
<citerefentry>
<refentrytitle>pam_set_item</refentrytitle><manvolnum>3</manvolnum>
</citerefentry>.
- Note, if PAM_FAIL_DELAY is unset (or set to NULL), then no delay
+ Note, if PAM_FAIL_DELAY item is unset (or set to NULL), then no delay
will be performed.
</para>
</refsect1>
@@ -116,6 +116,9 @@ void (*delay_fn)(int retval, unsigned usec_delay, void *appdata_ptr);
<para>
To minimize the effectiveness of such attacks, it is desirable to
introduce a random delay in a failed authentication process.
+ Preferable this value should be set by the application or a special
+ PAM module. Standard PAM modules should not modify the delay
+ unconditional.
</para>
</refsect1>
@@ -195,5 +198,5 @@ module #2: pam_fail_delay (pamh, 4000000);
Linux-PAM extension.
</para>
</refsect1>
-
+
</refentry>