Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 5 Mar 2014 17:30:53 +0100
From: Daniel Cegiełka <daniel.cegielka@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Linux-PAM pam_unix/unix_chkpwd is fail-open

2014-03-04 21:54 GMT+01:00 Solar Designer <solar@...nwall.com>:

> Someone might want to patch this issue in Linux-PAM.
>
> Alexander

Hi Alexander,

I know it's not realistic, but it may be easier to go to the OpenPAM.
The code is much smaller and easier to audit (and tcb works with
OpenPAM). OpenBSD is doing well with the BSD auth and gain the same as
with PAM (plugins via /usr/libexec/auth/*). BSD auth is only three C
core files:

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gen/auth_subr.c?rev=1.39;content-type=text%2Fplain
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gen/authenticate.c?rev=1.20;content-type=text%2Fplain
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gen/login_cap.c?rev=1.29;content-type=text%2Fplain

So it might be a better 'patch' than bloated Linux-PAM.

btw. I'm thinking about porting BSD auth API to Linux/tcb.

Daniel

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ