Jo Rhett jrhett@netconsonance.com writes:
I did, and found that pam_ldap had altered the password prior to submittal. It turns out that for what it perceives as invalid user ids, it changes the password hash to 'INCORECT', mis-spelling and all. There was a problem with nsswitch/nscd which when resolved, the userid was valid and ldap worked fine.
This is hardly useful behavior. I fail to understand why this particular approach is taken.
I can tell you in general why a PAM module would do that. One of the security concerns discovered a while back in PAM-style systems is that one could tell from timing measurements whether or not the username one attempted was valid but you had the wrong password or whether the username was entirely invalid. That's because the second case would be rejected much faster than the first. This information disclosure vulnerability could then be used to further target brute-force password attacks and sometimes even to deduce e-mail addresses for spam targets and other purposes.
Many PAM modules and PAM-using applications were therefore modified to never reject invalid users up-front. Instead, they would mangle the password into something that would (hopefully) never authenticate and then go through the authentication process, hopefully thereby causing the failure to take roughly the same length of time in both cases.