libpam
extern const char *pam_strerror(int errnum);
This function returns some text describing the Linux-PAM error
associated with the argument errnum
. If the error is not
recognized ``Unknown Linux-PAM error''
is returned.
extern int pam_fail_delay(pam_handle_t *pamh, unsigned int
micro_sec)
This function is offered by Linux-PAM to facilitate time delays
following a failed call to pam_authenticate()
and before control
is returned to the application.
Generally, an application requests that a user is authenticated by
Linux-PAM through a call to pam_authenticate()
or
pam_chauthtok()
. These functions calls each of the stacked
authentication modules listed in the /etc/pam.conf
file. As
directed by this file, one of more of the modules may fail causing the
pam_...()
call to return an error. It is desirable for there to
also be a pause before the application continues. The principal reason
for such a delay is security: a delay acts to discourage brute
force dictionary attacks primarily, but also helps hinder
timed (covert channel) attacks.
The pam_fail_delay()
function provides the mechanism by which an
application or module can suggest a minimum delay (of micro_sec
micro-seconds). Linux-PAM keeps a record of the longest time
requested with this function. Should pam_authenticate()
fail,
the failing return to the application is delayed by an amount of time
randomly distributed (by up to 25%) about this longest value.
Independent of success, the delay time is reset to its zero default value when Linux-PAM returns control to the application.