[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_securetty failure for unknown users on secure ttys

On Sat, Jun 14, Nicolas François wrote:

> Hello,
> On Debian, login uses pam_securetty as a requisite module.
> The reason for this is to fail immediately if the tty is not secure to
> avoid prompting for a password on an insecure line.
> In Linux-PAM-0_99_1_0 (pam_securetty.c revision 1.8), the return value of
> the authentication function was changed from PAM_IGNORE to
> When pam_securetty is a requisite module, this means that the
> authentication will fail immediately if the user does not exist in the
> system. This might indicate to an attacker that the given user does not
> exist.

If you don't like that, you can overwrite in this case (see pam.conf manual
> What was the rational for changing the return value from PAM_IGNORE to

Assume root mistypes his account name, pam_securetty would return
PAM_IGNORE, next module would allow root to correct the user name
and root is able to login on a insecure tty.

> (BTW the pam_securetty's manpage needs an update)

Please make a bug report on sf.net for this, so it does not go lost.

> I would prefer that pam_securetty fails only if the tty is not secure and
> the user is root or unknown.

I fail to see the difference to the current behavior. With your suggestion,
an attacker can also find simple out if the account exists or not.

> And to leave the user authentication / check for validity to the pam_unix
> module.

pam_securetty does neither user authentication nor a check
for validity, it only needs to find out if the user is root.
If it does not know the user, it cannot find out if it is root.


Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Markus Rex, HRB 16746 (AG Nuernberg)

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]