[Pkg-shadow-devel] Bug#482352: libpam-runtime: login for nonexistent user fails without password prompt

Nicholas Fleisher nfleisher at gmail.com
Thu May 22 16:08:03 UTC 2008


On Thu, May 22, 2008 at 5:54 AM, Nico Golde <nion at debian.org> wrote:

> reassign 482352 login
> severity normal
> tags 482352 - security
> thanks
>
> Hi Nicholas,
> * Nicholas Fleisher <nfleisher at gmail.com> [2008-05-22 04:43]:
> [...]
> > Apologies if I've reported this as too severe: it was dealt with as high
> > severity in Arch, and seems like a major issue to this layman.  Wish I
> > could tell you more, but as far as I can tell that's the extent of the
> > problem; everything works just fine if you login with a name that exists
> > on the system.
>
> Adjusting severity. This is due to /etc/pam.d/login using
> auth       requisite  pam_securetty.so instead of
> auth       require  pam_securetty.so.
>
> However this is a known issue and even documented in the
> manual (man pam.conf):


Thanks very much for the info and for the pointers on how to change it if
desired!  I wasn't aware of the password security concerns that prompted the
'requisite' setting instead of 'required', but simply remembered the
discussion from when this came up on Arch and the level of concern it
generated there.  Anyway, thanks again.


> Looking at this I don't really see this as a security issue, especially not
> as it makes sense to set it to requisite and people can still configure it
> different if they want.
>
> Opinions?


All sounds reasonable to me.  Sorry for any bother, and thanks for the
pointers!

-NF
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20080522/25a6a72d/attachment.htm 


More information about the Pkg-shadow-devel mailing list