[Pkg-shadow-devel] pam_securetty failure for unknown users on secure ttys

Thorsten Kukuk kukuk at suse.de
Sat Jun 21 07:14:27 UTC 2008


Hi,

On Sat, Jun 21, Nicolas François wrote:

> Hello Thorsten,
> 
> Do you think unknown users should be denied by pam_securetty on secure
> TTYs?
> (whether its a mistyped regular user, a mistyped root user, or a non
> existing user).

I think giving access if I know that something cannot be correct would
be a mistake.
On the other hand, giving access if something comes from a secure TTY
should not lead to a security problem later.

> On debian, login does not enforce any PAM delay (the reason was to let the
> configuration of delays to PAM (instead of PAM + login.defs), and also
> because delays are used to avoid brute force attack - and modules like
> pam_securetty or pam_nologin do not need to be protected against brute
> force attacks and can lead to an immediate failure)
> 
> With the current pam_securetty failures on secure TTYs, it is possible to
> brute force usernames via login.
>
> If the failure were limited to non-secure TTYs, this would limit the
> probability of such brute force.

But wouldn't a hacker come from a non-secure TTY most of the time?
And there you would still have the same problem with your suggestion.
It only helps for the local console, not for network attacks.

Between, what I use to avoid your problem in /etc/pam.d/login:

auth     requisite      pam_nologin.so
auth     [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad]        pam_securetty.so
auth     include        common-auth


  Thorsten

-- 
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Markus Rex, HRB 16746 (AG Nuernberg)




More information about the Pam-list mailing list