Copyright (C) 2000-2012 |
Manpages PAM_FAIL_DELAYSection: Programmers' Manual (3)Updated: 1997 Jan 12 Index Return to Main Contents NAMEpam_fail_delay - request a delay on failureSYNOPSIS#include <security/pam_appl.h>or, #include <security/pam_modules.h> int pam_fail_delay(pam_handle_t *pamh, unsigned int usec); DESCRIPTIONIt is often possible to attack an authentication scheme by exploiting the time it takes the scheme to deny access to an applicant user. In cases of short timeouts, it may prove possible to attempt a brute force dictionary attack -- with an automated process, the attacker tries all possible passwords to gain access to the system. In other cases, where individual failures can take measurable amounts of time (indicating the nature of the failure), an attacker can obtain useful information about the authentication process. These latter attacks make use of procedural delays that constitute a covert channel of useful information.
EXAMPLEFor example, a login application may require a failure delay of roughly 3 seconds. It will contain the following code:
RETURN VALUEFollowing a successful call to pam_fail_delay(3), PAM_SUCCESS is returned. All other returns should be considered serious failures.ERRORSMay be translated to text with pam_strerror(3).CONFORMING TOUnder consideration by the X/Open group for future inclusion in the PAM RFC. 1996/1/10BUGSnone known. SEE ALSOpam_start(3), pam_get_item(3) and pam_strerror(3). Also, see the three Linux-PAM Guides, for System administrators, module developers, and application developers.
IndexThis document was created by man2html, using the manual pages. Time: 20:10:22 GMT, April 26, 2024 |