On Sat, Jun 14, Nicolas François wrote: > Hello, > > On Debian, login uses pam_securetty as a requisite module. > The reason for this is to fail immediately if the tty is not secure to > avoid prompting for a password on an insecure line. > > In Linux-PAM-0_99_1_0 (pam_securetty.c revision 1.8), the return value of > the authentication function was changed from PAM_IGNORE to > PAM_USER_UNKNOWN. > When pam_securetty is a requisite module, this means that the > authentication will fail immediately if the user does not exist in the > system. This might indicate to an attacker that the given user does not > exist. If you don't like that, you can overwrite in this case (see pam.conf manual page). > What was the rational for changing the return value from PAM_IGNORE to > PAM_USER_UNKNOWN? Assume root mistypes his account name, pam_securetty would return PAM_IGNORE, next module would allow root to correct the user name and root is able to login on a insecure tty. > (BTW the pam_securetty's manpage needs an update) Please make a bug report on sf.net for this, so it does not go lost. > I would prefer that pam_securetty fails only if the tty is not secure and > the user is root or unknown. I fail to see the difference to the current behavior. With your suggestion, an attacker can also find simple out if the account exists or not. > And to leave the user authentication / check for validity to the pam_unix > module. pam_securetty does neither user authentication nor a check for validity, it only needs to find out if the user is root. If it does not know the user, it cannot find out if it is root. Thorsten -- Thorsten Kukuk, Project Manager/Release Manager SLES SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg GF: Markus Rex, HRB 16746 (AG Nuernberg) _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
