From 431e8c6747b4a4bb814457cd51f4a3c4fd1673a5 Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@thkukuk.de>
Date: Tue, 1 Aug 2006 09:58:14 +0000
Subject: Relevant BUGIDs:

Purpose of commit: bugfix

Commit summary:
---------------

2006-08-01  Thorsten Kukuk  <kukuk@thkukuk.de>

        * doc/man/pam_fail_delay.3.xml: Fix some Bugs and enhance
        rationale about when this function should be used and when not.
---
 ChangeLog                    |  5 +++++
 doc/man/pam_fail_delay.3     | 14 +++++++-------
 doc/man/pam_fail_delay.3.xml | 15 +++++++++------
 3 files changed, 21 insertions(+), 13 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index de30b6a0..339257d4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2006-08-01  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	* doc/man/pam_fail_delay.3.xml: Fix some Bugs and enhance
+	rationale about when this function should be used and when not.
+
 2006-08-01  Thorsten Kukuk  <kukuk@thkukuk.de>
 
 	* libpam/Makefile.am: Bump patchlevel of libpam.
diff --git a/doc/man/pam_fail_delay.3 b/doc/man/pam_fail_delay.3
index f9a7e2d1..000276ed 100644
--- a/doc/man/pam_fail_delay.3
+++ b/doc/man/pam_fail_delay.3
@@ -1,11 +1,11 @@
 .\"     Title: pam_fail_delay
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/27/2006
+.\"      Date: 08/01/2006
 .\"    Manual: Linux\-PAM Manual
 .\"    Source: Linux\-PAM Manual
 .\"
-.TH "PAM_FAIL_DELAY" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_FAIL_DELAY" "3" "08/01/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
@@ -37,13 +37,13 @@ all authentication modules have been called, but
 \fIbefore\fR
 control is returned to the service application.
 .PP
-When using this function the application programmer should check if it is available with:
+When using this function the programmer should check if it is available with:
 .sp
 .RS 3n
 .nf
-#ifdef PAM_FAIL_DELAY
+#ifdef HAVE_PAM_FAIL_DELAY
     ....
-#endif /* PAM_FAIL_DELAY */
+#endif /* HAVE_PAM_FAIL_DELAY */
       
 .fi
 .RE
@@ -73,7 +73,7 @@ that the application has associated with the current
 \fIpamh\fR. This last value was set by the application when it called
 \fBpam_start\fR(3)
 or explicitly with
-\fBpam_set_item\fR(3). Note, if PAM_FAIL_DELAY is unset (or set to NULL), then no delay will be performed.
+\fBpam_set_item\fR(3). Note, if PAM_FAIL_DELAY item is unset (or set to NULL), then no delay will be performed.
 .SH "RATIONALE"
 .PP
 It is often possible to attack an authentication scheme by exploiting the time it takes the scheme to deny access to an applicant user. In cases of
@@ -84,7 +84,7 @@ dictionary attack \-\- with an automated process, the attacker tries all possibl
 \fIcovert channel\fR
 of useful information.
 .PP
-To minimize the effectiveness of such attacks, it is desirable to introduce a random delay in a failed authentication process.
+To minimize the effectiveness of such attacks, it is desirable to introduce a random delay in a failed authentication process. Preferable this value should be set by the application or a special PAM module. Standard PAM modules should not modify the delay unconditional.
 .SH "EXAMPLE"
 .PP
 For example, a login application may require a failure delay of roughly 3 seconds. It will contain the following code:
diff --git a/doc/man/pam_fail_delay.3.xml b/doc/man/pam_fail_delay.3.xml
index 2cac066a..a101cf39 100644
--- a/doc/man/pam_fail_delay.3.xml
+++ b/doc/man/pam_fail_delay.3.xml
@@ -50,13 +50,13 @@
       control is returned to the service application.
     </para>
     <para>
-      When using this function the application programmer should check if
-      it is available with:
+      When using this function the programmer should check if it is
+      available with:
     </para>
       <programlisting>
-#ifdef PAM_FAIL_DELAY
+#ifdef HAVE_PAM_FAIL_DELAY
     ....
-#endif /* PAM_FAIL_DELAY */
+#endif /* HAVE_PAM_FAIL_DELAY */
       </programlisting>
 
     <para>
@@ -93,7 +93,7 @@ void (*delay_fn)(int retval, unsigned usec_delay, void *appdata_ptr);
       <citerefentry>
         <refentrytitle>pam_set_item</refentrytitle><manvolnum>3</manvolnum>
       </citerefentry>.
-      Note, if PAM_FAIL_DELAY is unset (or set to NULL), then no delay
+      Note, if PAM_FAIL_DELAY item is unset (or set to NULL), then no delay
       will be performed.
     </para>
   </refsect1>
@@ -116,6 +116,9 @@ void (*delay_fn)(int retval, unsigned usec_delay, void *appdata_ptr);
     <para>
       To minimize the effectiveness of such attacks, it is desirable to
       introduce a random delay in a failed authentication process.
+      Preferable this value should be set by the application or a special
+      PAM module. Standard PAM modules should not modify the delay
+      unconditional.
     </para>
   </refsect1>
 
@@ -195,5 +198,5 @@ module #2:    pam_fail_delay (pamh, 4000000);
       Linux-PAM extension.
     </para>
   </refsect1>
-  
+
 </refentry>
-- 
cgit v1.2.3