[Pkg-shadow-commits] r3178 - debian/trunk/debian

Nicolas FRANÇOIS nekral-guest at alioth.debian.org
Sat Mar 20 10:57:44 UTC 2010 

Author: nekral-guest
Date: 2010-03-20 10:57:44 +0000 (Sat, 20 Mar 2010)
New Revision: 3178

Modified:
   debian/trunk/debian/login.pam
Log:
Apply patch already described in the curent changelog:
  * debian/login.pam: return back to mostly "requisite" for the pam_securetty
    PAM module, but ignore PAM_USER_UNKNOWN. This will avoid root from
    entering a password, and will also avoid user enumeration attacks.
    Mis-typed root login are not protected, only root can be blamed for
    mis-typing and entering a password on an insecure line. Users willing to
    protect against mis-typed root login can use "requisite", but will be
    vulnerable to user enumeration attacks on insecure lines, and should use
    pam 1.1.0-4 at least. Closes: #574082, #531341


Modified: debian/trunk/debian/login.pam
===================================================================
--- debian/trunk/debian/login.pam	2010-03-20 10:52:52 UTC (rev 3177)
+++ debian/trunk/debian/login.pam	2010-03-20 10:57:44 UTC (rev 3178)
@@ -14,13 +14,22 @@
 
 # Disallows root logins except on tty's listed in /etc/securetty
 # (Replaces the `CONSOLE' setting from login.defs)
-# Note that it is included as a "requisite" module. No password prompts will
-# be displayed if this module fails to avoid having the root password
-# transmitted on unsecure ttys.
+#
+# With the default control of this module:
+#   [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
+# root will not be prompted for a pasword on insecure lines.
+# if an invalid username is entered, a password is prompted (but login
+# will eventually be rejected)
+#
+# You can change it to a "requisite" module if you think root may mis-type
+# her login and should not be prompted for a password in that case. But
+# this will leave the system as vulnerable to user enumeration attacks.
+#
 # You can change it to a "required" module if you think it permits to
 # guess valid user names of your system (invalid user names are considered
-# as possibly being root).
-auth       requisite  pam_securetty.so
+# as possibly being root on insecure lines), but root passwords may be
+# communicated over insecure lines.
+auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
 
 # Disallows other than root logins when /etc/nologin exists
 # (Replaces the `NOLOGINS_FILE' option from login.defs)

More information about the Pkg-shadow-commits mailing list