[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_securetty failure for unknown users on secure ttys


On Sat, Jun 21, 2008 at 09:14:27AM +0200, kukuk suse de wrote:
> On Sat, Jun 21, Nicolas François wrote:
> > If the failure were limited to non-secure TTYs, this would limit the
> > probability of such brute force.
> But wouldn't a hacker come from a non-secure TTY most of the time?
> And there you would still have the same problem with your suggestion.
> It only helps for the local console, not for network attacks.

Yes. It's far from perfect.
Enforcing a delay in login might be better to protect against brute force

> Between, what I use to avoid your problem in /etc/pam.d/login:
> auth     requisite      pam_nologin.so
> auth     [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad]        pam_securetty.so
> auth     include        common-auth

Thanks, that's what I will consider.

Best Regards,

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]