[Pkg-shadow-commits] r3039 - debian/trunk/debian
Nicolas FRANÇOIS
nekral-guest at alioth.debian.org
Thu Jul 23 20:56:33 UTC 2009
Author: nekral-guest
Date: 2009-07-23 20:56:32 +0000 (Thu, 23 Jul 2009)
New Revision: 3039
Modified:
debian/trunk/debian/changelog
debian/trunk/debian/login.pam
Log:
* debian/login.pam: pam_securetty included as a required module instead of
requisite to avoid leak of user name information. Closes: #531341
Modified: debian/trunk/debian/changelog
===================================================================
--- debian/trunk/debian/changelog 2009-07-23 20:41:35 UTC (rev 3038)
+++ debian/trunk/debian/changelog 2009-07-23 20:56:32 UTC (rev 3039)
@@ -15,8 +15,10 @@
for regular expressions. Closes: #534244
* debian/patches/506_relaxed_usernames: Fixed typo. groupadd(8) should
document the restriction on groupnames, not usernames.
+ * debian/login.pam: pam_securetty included as a required module instead of
+ requisite to avoid leak of user name information. Closes: #531341
- -- Nicolas FRANCOIS (Nekral) <nicolas.francois at centraliens.net> Sat, 18 Jul 2009 19:20:30 +0200
+ -- Nicolas FRANCOIS (Nekral) <nicolas.francois at centraliens.net> Thu, 23 Jul 2009 22:55:12 +0200
shadow (1:4.1.4.1-1) unstable; urgency=low
Modified: debian/trunk/debian/login.pam
===================================================================
--- debian/trunk/debian/login.pam 2009-07-23 20:41:35 UTC (rev 3038)
+++ debian/trunk/debian/login.pam 2009-07-23 20:56:32 UTC (rev 3039)
@@ -14,13 +14,11 @@
# Disallows root logins except on tty's listed in /etc/securetty
# (Replaces the `CONSOLE' setting from login.defs)
-# Note that it is included as a "requisite" module. No password prompts will
-# be displayed if this module fails to avoid having the root password
-# transmitted on unsecure ttys.
-# You can change it to a "required" module if you think it permits to
-# guess valid user names of your system (invalid user names are considered
-# as possibly being root).
-auth requisite pam_securetty.so
+# Note that it is included as a "required" module. root will be
+# prompted for a password on insecure ttys.
+# If you change it to a "requisite" module, make sure this does not leak
+# user name information.
+auth required pam_securetty.so
# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
More information about the Pkg-shadow-commits
mailing list