Hello Thorsten, Do you think unknown users should be denied by pam_securetty on secure TTYs? (whether its a mistyped regular user, a mistyped root user, or a non existing user). On debian, login does not enforce any PAM delay (the reason was to let the configuration of delays to PAM (instead of PAM + login.defs), and also because delays are used to avoid brute force attack - and modules like pam_securetty or pam_nologin do not need to be protected against brute force attacks and can lead to an immediate failure) With the current pam_securetty failures on secure TTYs, it is possible to brute force usernames via login. If the failure were limited to non-secure TTYs, this would limit the probability of such brute force. Best Regards, -- Nekral _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
