[Pkg-shadow-devel] Bug#531341: prints "login incorrect" without asking for password when entering an invalid login
Nicolas François
nicolas.francois at centraliens.net
Sat Jul 18 17:18:21 UTC 2009
Hi,
On Sun, May 31, 2009 at 09:27:09PM +0300, Dmitri Gribenko wrote:
>
> If you enter an invalid login, you get "login incorrect" immediately.
> Expected behavior is that password should be asked regardless of login
> correctness. This is to mitigate user enumeration attacks.
Please look at the pam_securetty.so section in /etc/pam.d/login
There are two contradicting security goals which are to avoid having root's
password entered on unsafe lines (and unknown users should be considered
as a mistyped 'root'), and to avoid leaking information regarding existing
users.
I don't really know how to handle this bug. My preference would go to
close it (which I will do in a few week if there are no answers). Another
solution could be to keep it as wontfix as an "information bug" and wait
until somebody finds a cleaner solution.
Dmitri, changing the inclusion of pam_securetty.so from requisite to
required is probably what you are looking for.
Best Regards,
--
Nekral
More information about the Pkg-shadow-devel
mailing list