[Pkg-shadow-devel] Bug#531341: prints "login incorrect" without asking for password when entering an invalid login

[Nicolas François]

Hello Steve,

On Wed, Sep 02, 2009 at 01:32:17AM -0700, Steve Langasek wrote:
> 
> > * debian/login.pam: pam_securetty included as a required module instead of
> >     requisite to avoid leak of user name information. Closes: #531341
> 
> Please revert this change.  The 'requisite' module is necessary to prevent
> exposure of the root password over insecure channels - such as telnet, but
> also including unencrypted XDMCP connections.  root users should never have
> the opportunity to type their password when the tty is not secure.

Sorry for the long delay, and thanks to Christian for repinging on this
topic.

I would prefer to use the following (rather than a requisite):
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so

The difference with requisite is the addition of user_unknown=bad

The problem with requisite is that it leaks knowledge on the existing
usernames (with pam 1.1.0-4, this leak is limited to insecure lines, but
this might not be sufficient).

The possible user enumeration (which was very visible with pam < 1.1.0-4
since it occurred on any box on the console ttys) was the cause of
numerous complaints, so I think this default would be more sensible than a
simple "requisite".

IMHO, the only issue is that if root mis-type the username, then a
password is prompted. But I consider this can be blamed on root for:
 * mis-typing
 * not remembering that the line is insecure

Do you agree with that choice ?

Best Regards,
-- 
Nekral