Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 5 Mar 2014 17:30:53 +0100
From: Daniel Cegiełka <daniel.cegielka@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Linux-PAM pam_unix/unix_chkpwd is fail-open

2014-03-04 21:54 GMT+01:00 Solar Designer <solar@...nwall.com>:

> Someone might want to patch this issue in Linux-PAM.
>
> Alexander

Hi Alexander,

I know it's not realistic, but it may be easier to go to the OpenPAM.
The code is much smaller and easier to audit (and tcb works with
OpenPAM). OpenBSD is doing well with the BSD auth and gain the same as
with PAM (plugins via /usr/libexec/auth/*). BSD auth is only three C
core files:

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gen/auth_subr.c?rev=1.39;content-type=text%2Fplain
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gen/authenticate.c?rev=1.20;content-type=text%2Fplain
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gen/login_cap.c?rev=1.29;content-type=text%2Fplain

So it might be a better 'patch' than bloated Linux-PAM.

btw. I'm thinking about porting BSD auth API to Linux/tcb.

Daniel

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.