Closed jktjkt closed 9 months ago
The patch is actually safe, a failed attempt blocks:
Thread 3 (Thread 0x7ffff5dfe6c0 (LWP 263517) "rousette"):
#0 0x00007ffff7236f2c in __GI___select (nfds=0, readfds=0x0, writefds=0x0, exceptfds=0x0, timeout=0x7ffff5dfcf30) at ../sysdeps/unix/sysv/linux/select.c:69
#1 0x00007ffff7ceeac1 in _pam_await_timer () from /nix/store/j277iayqyqm5acgryf7nx85shph5iyf2-linux-pam-1.5.2/lib/libpam.so.0
#2 0x00007ffff7cee6a2 in pam_authenticate () from /nix/store/j277iayqyqm5acgryf7nx85shph5iyf2-linux-pam-1.5.2/lib/libpam.so.0
#3 0x0000000000476a2f in rousette::auth::(anonymous namespace)::authenticate_pam (remoteHost=..., userPass=...) at /home/jkt/work/cesnet/gerrit/CzechLight/rousette/src/restconf/PAM.cpp:149
#4 rousette::auth::authenticate_pam (blob=..., remoteHost=...) at /home/jkt/work/cesnet/gerrit/CzechLight/rousette/src/restconf/PAM.cpp:164
fixed some time ago via 24584ebcf7859305d8b72240951eedc768d1d79e
I think that the current patch won't
sleep()
upon a password failure. That means that the service allows password brutefrocing.When this is fixed, let's prefer asynchronous sleeping so that the HTTP server's thread is not busy in a synchronous sleep (if at all possible).