[Pkg-shadow-devel] passwd behavior

Tomasz Kłoczko kloczek at rudy.mif.pg.gda.pl
Mon Apr 3 16:34:19 UTC 2006 

On Mon, 3 Apr 2006, Alexander Gattin wrote:

> Hi!
>
> On Mon, Apr 03, 2006 at 11:39:33AM +0200, Tomasz Kłoczko wrote:
>> incorrect. I was looking on some other passwd implementations and seems
>> only shadow passwd blocades SIGINT (Ctrl-C). I don't see any real
>> reasons for doing this (security or other).
>
> AFAIR this is done to make life of password bruteforcer
> harder. I.e. when he enters wrong _initial_ password,
> PAM or no-pam-shadow will delay (for e.g. 3s IIRC). By
> using ^C he/she will be ably to bypass this delay.
>
> But when user enters _new_ passwword and _retypes_ it,
> he/she shouldn't have SIGINT blocked.

IMO "easier/harder" criteria isn't correct.
Correct is "it is possible/not possible".

Next what I see: in casse "initial pasword" .. there is no initial
password case :_)
Why ? OK. Lets look on usual cycle adding new user .. user is added 
without password (in shadow map sits "x" as password digest). Usualy only
root can change password. In case changeing password on this stage if root 
will ommit messages like "password is too short" or "based on dictionary word"
_now_ is powssible bruteforce attack .. and look this is not "initial" 
password but only "weak" passowrd. Isn't it ?
If password is not weak -> is using SIGINT for passwd changes 
something ? Lokks like .. not :)
In this variant only is neccessary detecting passwd 
bruteforce attack (probably can be done on for example logwatch or 
other syslog log or audit log analiser level).

Next questions in this analise: is blocadeing SIGINT in passwd makes not 
possible bruteforce passwd commnad attack ?
Answer is: still _not_. So ..
-> Q:  how to blocade correctly passwd command bruteforce attack ?
-> A1: by detecting too many tries password changes without entering
        correct old password fist in some period.
-> A2: by blocade for root/privilidged user allow set weak password (how
        many times root sets themeselves weak password .. only because
        it is possible ? :)

IMO best way for solve passwd command bruteforce attack is walking on 
second answer path .. maybe not by make strict dissallow set weak 
password but by make this as configuration option.

Lets continue .. but only if on above is something wrong :)
My current conclution is: still I'm shure about unblocade SIGINT in 
passwd.

kloczek
-- 
-----------------------------------------------------------
*Ludzie nie mają problemów, tylko sobie sami je stwarzają*
-----------------------------------------------------------
Tomasz Kłoczko, sys adm @zie.pg.gda.pl|*e-mail: kloczek at rudy.mif.pg.gda.pl*

More information about the Pkg-shadow-devel mailing list