[Pkg-shadow-devel] Bug#531341: prints "login incorrect" without asking for password when entering an invalid login
Nicolas François
nicolas.francois at centraliens.net
Tue Mar 16 11:29:21 UTC 2010
Hello Steve,
On Wed, Sep 02, 2009 at 01:32:17AM -0700, Steve Langasek wrote:
>
> > * debian/login.pam: pam_securetty included as a required module instead of
> > requisite to avoid leak of user name information. Closes: #531341
>
> Please revert this change. The 'requisite' module is necessary to prevent
> exposure of the root password over insecure channels - such as telnet, but
> also including unencrypted XDMCP connections. root users should never have
> the opportunity to type their password when the tty is not secure.
Sorry for the long delay, and thanks to Christian for repinging on this
topic.
I would prefer to use the following (rather than a requisite):
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
The difference with requisite is the addition of user_unknown=bad
The problem with requisite is that it leaks knowledge on the existing
usernames (with pam 1.1.0-4, this leak is limited to insecure lines, but
this might not be sufficient).
The possible user enumeration (which was very visible with pam < 1.1.0-4
since it occurred on any box on the console ttys) was the cause of
numerous complaints, so I think this default would be more sensible than a
simple "requisite".
IMHO, the only issue is that if root mis-type the username, then a
password is prompted. But I consider this can be blamed on root for:
* mis-typing
* not remembering that the line is insecure
Do you agree with that choice ?
Best Regards,
--
Nekral
More information about the Pkg-shadow-devel
mailing list