pam_securetty failure for unknown users on secure ttys

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

On Debian, login uses pam_securetty as a requisite module.
The reason for this is to fail immediately if the tty is not secure to
avoid prompting for a password on an insecure line.

In Linux-PAM-0_99_1_0 (pam_securetty.c revision 1.8), the return value of
the authentication function was changed from PAM_IGNORE to
PAM_USER_UNKNOWN.
When pam_securetty is a requisite module, this means that the
authentication will fail immediately if the user does not exist in the
system. This might indicate to an attacker that the given user does not
exist.

What was the rational for changing the return value from PAM_IGNORE to
PAM_USER_UNKNOWN?
(BTW the pam_securetty's manpage needs an update)

I would prefer that pam_securetty fails only if the tty is not secure and
the user is root or unknown.
And to leave the user authentication / check for validity to the pam_unix
module.

Best Regards,
-- 
Nekral

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux