Re: pam_ldap doesn't bind SIMPLE for anonymous auth?

[Russ Allbery <rra@stanford.edu>]

Jo Rhett <jrhett@netconsonance.com> writes:

> I did, and found that pam_ldap had altered the password prior to
> submittal.  It turns out that for what it perceives as invalid user ids,
> it changes the password hash to 'INCORECT', mis-spelling and all.  There
> was a problem with nsswitch/nscd which when resolved, the userid was
> valid and ldap worked fine.

> This is hardly useful behavior.  I fail to understand why this
> particular approach is taken.

I can tell you in general why a PAM module would do that.  One of the
security concerns discovered a while back in PAM-style systems is that one
could tell from timing measurements whether or not the username one
attempted was valid but you had the wrong password or whether the username
was entirely invalid.  That's because the second case would be rejected
much faster than the first.  This information disclosure vulnerability
could then be used to further target brute-force password attacks and
sometimes even to deduce e-mail addresses for spam targets and other
purposes.

Many PAM modules and PAM-using applications were therefore modified to
never reject invalid users up-front.  Instead, they would mangle the
password into something that would (hopefully) never authenticate and then
go through the authentication process, hopefully thereby causing the
failure to take roughly the same length of time in both cases.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>