[Pkg-shadow-devel] pam_securetty failure for unknown users on secure ttys

Nicolas François nekral.lists at gmail.com
Fri Jun 20 22:53:55 UTC 2008


Hello Thorsten,

Do you think unknown users should be denied by pam_securetty on secure
TTYs?
(whether its a mistyped regular user, a mistyped root user, or a non
existing user).

On debian, login does not enforce any PAM delay (the reason was to let the
configuration of delays to PAM (instead of PAM + login.defs), and also
because delays are used to avoid brute force attack - and modules like
pam_securetty or pam_nologin do not need to be protected against brute
force attacks and can lead to an immediate failure)

With the current pam_securetty failures on secure TTYs, it is possible to
brute force usernames via login.

If the failure were limited to non-secure TTYs, this would limit the
probability of such brute force.

Best Regards,
-- 
Nekral



More information about the Pkg-shadow-devel mailing list