[Pkg-shadow-devel] Bug#443322: Bug#443322: Bug#443322: login: immediate 'Login incorrect' after unknown user name

[Christian Perrier]

Quoting Christian Perrier (bubulle at debian.org):
> Quoting Dwight Davis (sivad_thgiwd at yahoo.ca):
> > Oops!, these lines are indeed different in my config,
> > but they make no difference.
> > 
> > The line that is causing this behavior is:
> > 
> > auth       requisite  pam_securetty.so
> > 
> > According to the man page this module should have no
> > affect if the username is not recognized. The default
> > for the "requisite" keyword is to die.
> > 
> > Changing the keyword "requisite" to "required", as the
> > man page recommends, causes the normal behavior of
> > login. 
> 
> 
> Yes, I confirm that.
> 
> I pinged Steve Langasek on IRC to get some more expert advice when it
> comes at PAM stuff.
> 
> 

A discussion happened on IRC about this:

09:38 <vorlon> do you know if that's a recent change in the behavior of pam_securetty?
09:38 <vorlon> or is it just a recent change in the contents of /etc/pam.d/login?
09:39 <vorlon> I don't like the idea of being able to brute force usernames via login, however unlikely this is
--- Log closed dim oct 21 09:44:35 2007
--- Log opened dim oct 21 09:44:48 2007
09:44 <vorlon> anyway, the advantage of using requisite for pam_securetty is that if it's *not* a secure tty, the user has no opportunity to type the root password at all
09:44 <vorlon> but apparently there are side effects that don't belong
--- Log closed dim oct 21 09:50:35 2007
--- Log opened dim oct 21 12:19:42 2007
12:19 <bubulle> I don't know if it's a recent change in pam_securetty
12:19 <bubulle> not a change in /etc/pam.d/login for sure

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20071021/38a9aa15/attachment.pgp