[Pkg-shadow-devel] Bug#531341: prints "login incorrect" without asking for password when entering an invalid login

Nicolas François nicolas.francois at centraliens.net
Sat Jul 18 17:18:21 UTC 2009


On Sun, May 31, 2009 at 09:27:09PM +0300, Dmitri Gribenko wrote:
> If you enter an invalid login, you get "login incorrect" immediately.
> Expected behavior is that password should be asked regardless of login
> correctness.  This is to mitigate user enumeration attacks.

Please look at the pam_securetty.so section in /etc/pam.d/login

There are two contradicting security goals which are to avoid having root's
password entered on unsafe lines (and unknown users should be considered
as a mistyped 'root'), and to avoid leaking information regarding existing

I don't really know how to handle this bug. My preference would go to
close it (which I will do in a few week if there are no answers). Another
solution could be to keep it as wontfix as an "information bug" and wait
until somebody finds a cleaner solution.

Dmitri, changing the inclusion of pam_securetty.so from requisite to
required is probably what you are looking for.

Best Regards,

More information about the Pkg-shadow-devel mailing list