[Pkg-shadow-commits] r3178 - debian/trunk/debian
Nicolas FRANÇOIS
nekral-guest at alioth.debian.org
Sat Mar 20 10:57:44 UTC 2010
Author: nekral-guest
Date: 2010-03-20 10:57:44 +0000 (Sat, 20 Mar 2010)
New Revision: 3178
Modified:
debian/trunk/debian/login.pam
Log:
Apply patch already described in the curent changelog:
* debian/login.pam: return back to mostly "requisite" for the pam_securetty
PAM module, but ignore PAM_USER_UNKNOWN. This will avoid root from
entering a password, and will also avoid user enumeration attacks.
Mis-typed root login are not protected, only root can be blamed for
mis-typing and entering a password on an insecure line. Users willing to
protect against mis-typed root login can use "requisite", but will be
vulnerable to user enumeration attacks on insecure lines, and should use
pam 1.1.0-4 at least. Closes: #574082, #531341
Modified: debian/trunk/debian/login.pam
===================================================================
--- debian/trunk/debian/login.pam 2010-03-20 10:52:52 UTC (rev 3177)
+++ debian/trunk/debian/login.pam 2010-03-20 10:57:44 UTC (rev 3178)
@@ -14,13 +14,22 @@
# Disallows root logins except on tty's listed in /etc/securetty
# (Replaces the `CONSOLE' setting from login.defs)
-# Note that it is included as a "requisite" module. No password prompts will
-# be displayed if this module fails to avoid having the root password
-# transmitted on unsecure ttys.
+#
+# With the default control of this module:
+# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
+# root will not be prompted for a pasword on insecure lines.
+# if an invalid username is entered, a password is prompted (but login
+# will eventually be rejected)
+#
+# You can change it to a "requisite" module if you think root may mis-type
+# her login and should not be prompted for a password in that case. But
+# this will leave the system as vulnerable to user enumeration attacks.
+#
# You can change it to a "required" module if you think it permits to
# guess valid user names of your system (invalid user names are considered
-# as possibly being root).
-auth requisite pam_securetty.so
+# as possibly being root on insecure lines), but root passwords may be
+# communicated over insecure lines.
+auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
More information about the Pkg-shadow-commits
mailing list