[Pkg-shadow-devel] Bug#443322: Bug#443322: login: immediate 'Login incorrect' after unknown user name

Nicolas François nicolas.francois at centraliens.net
Sun Sep 7 00:25:50 UTC 2008 

Hi Steve,

Sorry, I forgot about this email.

On Sun, Aug 24, 2008 at 11:25:20PM -0700, vorlon at debian.org wrote:
> On Sun, Aug 24, 2008 at 03:01:41PM +0200, Nicolas François wrote:
> 
> > On Sat, Aug 23, 2008 at 10:30:59PM -0700, vorlon at debian.org wrote:
> > > I just upgraded one of my sid machines that had a modified /etc/pam.d/login,
> > > and was quite surprised to see the conffile prompt from this change,
> > > specifically because of the use of pam_faildelay.
> 
> > > Did you consider doing this instead for pam_securetty?:
> 
> > > auth	[success=ok user_unknown=ignore default=die] pam_securetty.so
> 
> > I did not added this because in case of an insecure TTY, if root enters
> > his name with a typo, she will be prompted for a password.
> > (That was my true in my last try: the user is checked before the TTY)
> 
> True, but I'm not convinced this is actually a problem; in order for the
> user to shoot themselves in the foot, they must:
> 
> - be running login on an insecure tty (...seriously?  who still runs telnet
>   anymore, unless it's kerberized telnet?)
> - mistype the name "root"
> - fail to *notice* they've mistyped the name "root", and then proceed to
>   type the root password.
> 
> Is that really a case that's worth protecting against?  Isn't it just as
> likely that a user will type in a *correct* username, and then make the
> mistake of typing the root password instead of the user password?

right.

> > Would it be better to call pam_faildelay only in case of a pam_securetty
> > failure, and otherwise let pam_unix set the delay?
> 
> All in all, I think that calling pam_faildelay is appropriate because there
> are authentication modules one might use in place of pam_unix which do *not*
> call pam_fail_delay at all (e.g., pam_krb5 and pam_ldap).  I'm just not sure
> that /etc/pam.d/login is the right place for it, or if it actually belongs
> in /etc/pam.d/common-auth.

I'm a bit confused now.
Should I upload now a new version with the fixed pam_securetty.so
(user_unknown=ignore) and the pam_faildelay.so modules?

Cheers,
-- 
Nekral

More information about the Pkg-shadow-devel mailing list