search

CESNET / rousette

RESTCONF server for sysrepo
https://gerrit.cesnet.cz/q/project:CzechLight/rousette
Apache License 2.0
7 stars 2 forks source link

PAM: async sleep on wrong password #1

Closed jktjkt closed 9 months ago

jktjkt commented 11 months ago

I think that the current patch won't sleep() upon a password failure. That means that the service allows password brutefrocing.

When this is fixed, let's prefer asynchronous sleeping so that the HTTP server's thread is not busy in a synchronous sleep (if at all possible).

jktjkt commented 11 months ago

The patch is actually safe, a failed attempt blocks:

Thread 3 (Thread 0x7ffff5dfe6c0 (LWP 263517) "rousette"):
#0  0x00007ffff7236f2c in __GI___select (nfds=0, readfds=0x0, writefds=0x0, exceptfds=0x0, timeout=0x7ffff5dfcf30) at ../sysdeps/unix/sysv/linux/select.c:69
#1  0x00007ffff7ceeac1 in _pam_await_timer () from /nix/store/j277iayqyqm5acgryf7nx85shph5iyf2-linux-pam-1.5.2/lib/libpam.so.0
#2  0x00007ffff7cee6a2 in pam_authenticate () from /nix/store/j277iayqyqm5acgryf7nx85shph5iyf2-linux-pam-1.5.2/lib/libpam.so.0
#3  0x0000000000476a2f in rousette::auth::(anonymous namespace)::authenticate_pam (remoteHost=..., userPass=...) at /home/jkt/work/cesnet/gerrit/CzechLight/rousette/src/restconf/PAM.cpp:149
#4  rousette::auth::authenticate_pam (blob=..., remoteHost=...) at /home/jkt/work/cesnet/gerrit/CzechLight/rousette/src/restconf/PAM.cpp:164
jktjkt commented 9 months ago

fixed some time ago via 24584ebcf7859305d8b72240951eedc768d1d79e