[PATCH 0/3 v2] PolicyKit - Add Shadow authorisation framework
David Zeuthen
david at fubar.dk
Sun Dec 16 18:56:53 PST 2007
On Mon, 2007-12-17 at 02:55 +0000, Carlos Corbacho wrote:
> > - Really need to do a "sleep (2);" on the wrong password to discourage
> > an attack where one is hammering the system with different passwords
> > (polkit-grant-helper relies on the authentication framework (e.g.
> > PAM) doing this) [1]
>
> Easily fixed. Although the file you quote uses sleep(10). Should we go 2, 10,
> or in the middle with 5?
I think two seconds is more than enough (IIRC PAM on Fedora uses one
second but haven't checked the source); more than two seconds would be
annoying for the user if he mistyped his password.
David
More information about the hal
mailing list