[Pkg-shadow-commits] r3039 - debian/trunk/debian

Nicolas FRANÇOIS nekral-guest at alioth.debian.org
Thu Jul 23 20:56:33 UTC 2009 

Author: nekral-guest
Date: 2009-07-23 20:56:32 +0000 (Thu, 23 Jul 2009)
New Revision: 3039

Modified:
   debian/trunk/debian/changelog
   debian/trunk/debian/login.pam
Log:
  * debian/login.pam: pam_securetty included as a required module instead of
    requisite to avoid leak of user name information. Closes: #531341


Modified: debian/trunk/debian/changelog
===================================================================
--- debian/trunk/debian/changelog	2009-07-23 20:41:35 UTC (rev 3038)
+++ debian/trunk/debian/changelog	2009-07-23 20:56:32 UTC (rev 3039)
@@ -15,8 +15,10 @@
     for regular expressions. Closes: #534244
   * debian/patches/506_relaxed_usernames: Fixed typo. groupadd(8) should
     document the restriction on groupnames, not usernames.
+  * debian/login.pam: pam_securetty included as a required module instead of
+    requisite to avoid leak of user name information. Closes: #531341
 
- -- Nicolas FRANCOIS (Nekral) <nicolas.francois at centraliens.net>  Sat, 18 Jul 2009 19:20:30 +0200
+ -- Nicolas FRANCOIS (Nekral) <nicolas.francois at centraliens.net>  Thu, 23 Jul 2009 22:55:12 +0200
 
 shadow (1:4.1.4.1-1) unstable; urgency=low
 

Modified: debian/trunk/debian/login.pam
===================================================================
--- debian/trunk/debian/login.pam	2009-07-23 20:41:35 UTC (rev 3038)
+++ debian/trunk/debian/login.pam	2009-07-23 20:56:32 UTC (rev 3039)
@@ -14,13 +14,11 @@
 
 # Disallows root logins except on tty's listed in /etc/securetty
 # (Replaces the `CONSOLE' setting from login.defs)
-# Note that it is included as a "requisite" module. No password prompts will
-# be displayed if this module fails to avoid having the root password
-# transmitted on unsecure ttys.
-# You can change it to a "required" module if you think it permits to
-# guess valid user names of your system (invalid user names are considered
-# as possibly being root).
-auth       requisite  pam_securetty.so
+# Note that it is included as a "required" module. root will be
+# prompted for a password on insecure ttys.
+# If you change it to a "requisite" module, make sure this does not leak
+# user name information.
+auth       required  pam_securetty.so
 
 # Disallows other than root logins when /etc/nologin exists
 # (Replaces the `NOLOGINS_FILE' option from login.defs)

More information about the Pkg-shadow-commits mailing list