+2006-08-01 Thorsten Kukuk <kukuk@thkukuk.de>
+
+ * doc/man/pam_fail_delay.3.xml: Fix some Bugs and enhance
+ rationale about when this function should be used and when not.
+
2006-08-01 Thorsten Kukuk <kukuk@thkukuk.de>
* libpam/Makefile.am: Bump patchlevel of libpam.
.\" Title: pam_fail_delay
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\" Date: 06/27/2006
+.\" Date: 08/01/2006
.\" Manual: Linux\-PAM Manual
.\" Source: Linux\-PAM Manual
.\"
-.TH "PAM_FAIL_DELAY" "3" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_FAIL_DELAY" "3" "08/01/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
\fIbefore\fR
control is returned to the service application.
.PP
-When using this function the application programmer should check if it is available with:
+When using this function the programmer should check if it is available with:
.sp
.RS 3n
.nf
-#ifdef PAM_FAIL_DELAY
+#ifdef HAVE_PAM_FAIL_DELAY
....
-#endif /* PAM_FAIL_DELAY */
+#endif /* HAVE_PAM_FAIL_DELAY */
.fi
.RE
\fIpamh\fR. This last value was set by the application when it called
\fBpam_start\fR(3)
or explicitly with
-\fBpam_set_item\fR(3). Note, if PAM_FAIL_DELAY is unset (or set to NULL), then no delay will be performed.
+\fBpam_set_item\fR(3). Note, if PAM_FAIL_DELAY item is unset (or set to NULL), then no delay will be performed.
.SH "RATIONALE"
.PP
It is often possible to attack an authentication scheme by exploiting the time it takes the scheme to deny access to an applicant user. In cases of
\fIcovert channel\fR
of useful information.
.PP
-To minimize the effectiveness of such attacks, it is desirable to introduce a random delay in a failed authentication process.
+To minimize the effectiveness of such attacks, it is desirable to introduce a random delay in a failed authentication process. Preferable this value should be set by the application or a special PAM module. Standard PAM modules should not modify the delay unconditional.
.SH "EXAMPLE"
.PP
For example, a login application may require a failure delay of roughly 3 seconds. It will contain the following code:
control is returned to the service application.
</para>
<para>
- When using this function the application programmer should check if
- it is available with:
+ When using this function the programmer should check if it is
+ available with:
</para>
<programlisting>
-#ifdef PAM_FAIL_DELAY
+#ifdef HAVE_PAM_FAIL_DELAY
....
-#endif /* PAM_FAIL_DELAY */
+#endif /* HAVE_PAM_FAIL_DELAY */
</programlisting>
<para>
<citerefentry>
<refentrytitle>pam_set_item</refentrytitle><manvolnum>3</manvolnum>
</citerefentry>.
- Note, if PAM_FAIL_DELAY is unset (or set to NULL), then no delay
+ Note, if PAM_FAIL_DELAY item is unset (or set to NULL), then no delay
will be performed.
</para>
</refsect1>
<para>
To minimize the effectiveness of such attacks, it is desirable to
introduce a random delay in a failed authentication process.
+ Preferable this value should be set by the application or a special
+ PAM module. Standard PAM modules should not modify the delay
+ unconditional.
</para>
</refsect1>
Linux-PAM extension.
</para>
</refsect1>
-
+
</refentry>
projects / linux-pam / commitdiff