summaryrefslogtreecommitdiffstats
path: root/doc/man/pam_fail_delay.3.xml
blob: 53c1f89e80034ebc22ec65248c66cd07849cc7b5 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">

<refentry id="pam_fail_delay">

  <refmeta>
    <refentrytitle>pam_fail_delay</refentrytitle>
    <manvolnum>3</manvolnum>
    <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
  </refmeta>

  <refnamediv id="pam_fail_delay-name">
    <refname>pam_fail_delay</refname>
    <refpurpose>request a delay on failure</refpurpose>
  </refnamediv>

<!-- body begins here -->

  <refsynopsisdiv>
    <funcsynopsis id="pam_fail_delay-synopsis">
      <funcsynopsisinfo>#include &lt;security/pam_appl.h&gt;</funcsynopsisinfo>
      <funcprototype>
        <funcdef>int <function>pam_fail_delay</function></funcdef>
        <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef>
        <paramdef>unsigned int <parameter>usec</parameter></paramdef>
      </funcprototype>
    </funcsynopsis>
  </refsynopsisdiv>

  <refsect1 id='pam_fail_delay-description'>
    <title>DESCRIPTION</title>
    <para>
      The <function>pam_fail_delay</function> function provides a
      mechanism by which an application or module can suggest a minimum
      delay of <emphasis>usec</emphasis> micro-seconds. The
      function  keeps a record of the longest time requested with this
      function. Should
      <citerefentry>
        <refentrytitle>pam_authenticate</refentrytitle><manvolnum>3</manvolnum>
      </citerefentry> fail, the failing return to the application is
      delayed by an amount of time randomly distributed (by up to 50%)
      about this longest value.
    </para>
    <para>
      Independent of success, the delay time is reset to its zero
      default value when the PAM service module returns control to
      the application. The delay occurs <emphasis>after</emphasis> all
      authentication modules have been called, but <emphasis>before</emphasis>
      control is returned to the service application.
    </para>
    <para>
      When using this function the programmer should check if it is
      available with:
    </para>
      <programlisting>
#ifdef HAVE_PAM_FAIL_DELAY
    ....
#endif /* HAVE_PAM_FAIL_DELAY */
      </programlisting>

    <para>
      For applications written with a single thread that are event
      driven in nature, generating this delay may be undesirable.
      Instead, the application may want to register the delay in some
      other way. For example, in a single threaded server that serves
      multiple authentication requests from a single event loop, the
      application might want to simply mark a given connection as
      blocked until an application timer expires. For this reason
      the delay function can be changed with the
      <emphasis>PAM_FAIL_DELAY</emphasis> item. It can be queried and
      set with
      <citerefentry>
        <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum>
      </citerefentry>
      and
      <citerefentry>
        <refentrytitle>pam_set_item</refentrytitle><manvolnum>3</manvolnum>
      </citerefentry>  respectively. The value used to set it should be
      a function pointer of the following prototype:
      <programlisting>
void (*delay_fn)(int retval, unsigned usec_delay, void *appdata_ptr);
      </programlisting>
      The arguments being the <emphasis>retval</emphasis> return code
      of the module stack, the <emphasis>usec_delay</emphasis>
      micro-second delay that libpam is requesting and the
      <emphasis>appdata_ptr</emphasis> that the application has associated
      with the current <emphasis>pamh</emphasis>. This last value was set
      by the application when it called
      <citerefentry>
        <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum>
      </citerefentry> or explicitly with
      <citerefentry>
        <refentrytitle>pam_set_item</refentrytitle><manvolnum>3</manvolnum>
      </citerefentry>.
    </para>
    <para>
      Note that the PAM_FAIL_DELAY item is set to NULL by default. This
      indicates that PAM should perform a random delay as described
      above when authentication fails and a delay has been suggested.
      If an application does not want the PAM library to perform any
      delay on authentication failure, then the application must define
      a custom delay function that executes no statements and set
      the PAM_FAIL_DELAY item to point to this function.
    </para>
  </refsect1>

  <refsect1 id='pam_fail_delay-rationale'>
    <title>RATIONALE</title>
    <para>
      It is often possible to attack an authentication scheme by exploiting
      the time it takes the scheme to deny access to an applicant user.  In
      cases of <emphasis>short</emphasis> timeouts, it may prove possible
      to attempt a <emphasis>brute force</emphasis> dictionary attack --
      with an automated process, the attacker tries all possible passwords
      to gain access to the system. In other cases, where individual
      failures can take measurable amounts of time (indicating the nature
      of the failure), an attacker can obtain useful information about the
      authentication process. These latter attacks make use of procedural
      delays that constitute a <emphasis>covert channel</emphasis>
      of useful information.
    </para>
    <para>
      To minimize the effectiveness of such attacks, it is desirable to
      introduce a random delay in a failed authentication process.
      Preferable this value should be set by the application or a special
      PAM module. Standard PAM modules should not modify the delay
      unconditional.
    </para>
  </refsect1>

  <refsect1 id='pam_fail_delay-example'>
    <title>EXAMPLE</title>
    <para>
      For example, a login application may require a failure delay of
      roughly 3 seconds. It will contain the following code:
    </para>
    <programlisting>
    pam_fail_delay (pamh, 3000000 /* micro-seconds */ );
    pam_authenticate (pamh, 0);
    </programlisting>

    <para>
      if the modules do not request a delay, the failure delay will be
      between 1.5 and 4.5 seconds.
    </para>

    <para>
      However, the modules, invoked in the authentication process, may
      also request delays:
    </para>

    <programlisting>
module #1:    pam_fail_delay (pamh, 2000000);
module #2:    pam_fail_delay (pamh, 4000000);
    </programlisting>

    <para>
      in this case, it is the largest requested value that is used to
      compute the actual failed delay: here between 2 and 6 seconds.
    </para>
  </refsect1>

  <refsect1 id='pam_fail_delay-return_values'>
    <title>RETURN VALUES</title>
    <variablelist>
      <varlistentry>
        <term>PAM_SUCCESS</term>
        <listitem>
           <para>
            Delay was successful adjusted.
          </para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>PAM_SYSTEM_ERR</term>
        <listitem>
           <para>
             A NULL pointer was submitted as PAM handle.
          </para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1 id='pam_fail_delay-see_also'>
    <title>SEE ALSO</title>
    <para>
      <citerefentry>
        <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum>
      </citerefentry>,
      <citerefentry>
        <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum>
      </citerefentry>,
      <citerefentry>
        <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum>
      </citerefentry>
    </para>
  </refsect1>

  <refsect1 id='pam_fail_delay-standards'>
    <title>STANDARDS</title>
    <para>
      The <function>pam_fail_delay</function> function is an
      Linux-PAM extension.
    </para>
  </refsect1>

</refentry>