{"id":22140897,"url":"https://github.com/stealth/pam_schroedinger","last_synced_at":"2025-07-14T03:38:15.892Z","repository":{"id":15214794,"uuid":"17943266","full_name":"stealth/pam_schroedinger","owner":"stealth","description":"Uncertainty for brute forcers during login.","archived":false,"fork":false,"pushed_at":"2017-05-18T11:40:02.000Z","size":12,"stargazers_count":25,"open_issues_count":0,"forks_count":2,"subscribers_count":5,"default_branch":"master","last_synced_at":"2023-03-14T04:05:16.375Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stealth.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2014-03-20T13:18:39.000Z","updated_at":"2022-07-20T11:25:45.000Z","dependencies_parsed_at":"2022-07-30T16:39:05.769Z","dependency_job_id":null,"html_url":"https://github.com/stealth/pam_schroedinger","commit_stats":null,"previous_names":[],"tags_count":4,"template":null,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stealth%2Fpam_schroedinger","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stealth%2Fpam_schroedinger/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stealth%2Fpam_schroedinger/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stealth%2Fpam_schroedinger/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stealth","download_url":"https://codeload.github.com/stealth/pam_schroedinger/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":227629069,"owners_count":17796054,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-01T21:08:32.659Z","updated_at":"2024-12-01T21:08:33.301Z","avatar_url":"https://github.com/stealth.png","language":"C++","funding_links":[],"categories":[],"sub_categories":[],"readme":"pam_schroedinger\n================\n\n_pam_schroedinger_ prevents from dicitionary/brute-force attacks against PAM accounts\nby only returning PAM_SUCCESS if there was no previous login or attempt\nwithin a certain timeframe. In a common scenario, users do not authenticate\nmore than once in a second. Everything else looks like a brute force.\n_pam_schroedinger_ prevents PAM accounts from dictionary attacks much better\nthan a sleep-based delay hardcoded in the authentication mechanism, as used\ntoday in _su_ or _sudo_ for example.\nThe attacker will see no delay in his attack, but he will not see which\nlogin token succeeds, even if he tried the right one. So there is a certain\nuncertainty added to the login process so attackers can never be sure\nthe cat is dead or alive.\nThis is the opposite of _pam_timestamp_.\n\nInstallation\n------------\n\nJust type\n\n    $ make\n\nto build it. Then\n\n    # mkdir -m 0755 /var/run/schroedinger\n\nand:\n\n    # cp pam_schroedinger.so /lib64/security\n\non a 64bit machine, or:\n\n    # cp pam_schroedinger.so /lib/security\n\nfor 32bit architectures. Then add it to the PAM stack by adding it to\n_/etc/pam.d/su_ or whatever service you want to protect:\n\n    auth    required        pam_schroedinger.so dir=/var/run/schroedinger delay=1\n\nThese are all arguments that can be passed to _pam_schroedinger_ and also their\ndefault values. The _delay_ is in seconds. The ticket-files are stored in _dir_.\n\n\nWhy's that necessary?\n---------------------\n\nTodays machines are fast enough to allow 1000's cracks/sec by cleverly\narranging pty's and processes like su or sudo to try a login token, despite\nof sleep-delays which just add a constant delay of a few seconds to the overall\nattack. This is due to todays computing power even on modest desktop machines\nwhich have Gigs of RAM and multiple cores which allows to run multiple\n100 instances of _su/sudo_ in parallel. Just try:\n\n    $ ./enabler -c sudo -n 200 \u003c /usr/share/dict/words\n\non a core-i5 laptop for example.\n\n\nWhat else?\n----------\n\nThe idea is so simple that its probably re-invented every Friday.\n\nBe aware that if you apply _pam_schroedinger_ to remote services,\nit is easier to DoS you. Attackers can DoS you anyway by consuming\nall available connection slots, but it makes it easier (even though\nthey wont notice). For services like ssh its strongly recommended\nto (also) use pubkey authentication, which would allow you to login\nvia keys rather than PAM if you are under brute force attack/DoS.\nYou can also consider switching from password authentication to\nsomething else (in ssh case thats easy) entirely.\n\nDo not use weak passwords. Even when using _pam_schroedinger_.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstealth%2Fpam_schroedinger","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstealth%2Fpam_schroedinger","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstealth%2Fpam_schroedinger/lists"}