[PATCH 0/3 v2] PolicyKit - Add Shadow authorisation framework

David Zeuthen david at fubar.dk
Sun Dec 16 18:56:53 PST 2007


On Mon, 2007-12-17 at 02:55 +0000, Carlos Corbacho wrote:
> >  - Really need to do a "sleep (2);" on the wrong password to discourage
> >    an attack where one is hammering the system with different passwords
> >    (polkit-grant-helper relies on the authentication framework (e.g.
> >    PAM) doing this) [1]
> 
> Easily fixed. Although the file you quote uses sleep(10). Should we go 2, 10, 
> or in the middle with 5?

I think two seconds is more than enough (IIRC PAM on Fedora uses one
second but haven't checked the source); more than two seconds would be
annoying for the user if he mistyped his password.

     David




More information about the hal mailing list