[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_nologin

> > 	- a "nologin" file exists.
> > 	- the computer prompts for a username [logname].
> > 	- a user enters his or her logname.
> > 	- the computer displays the contents of the "nologin" file.
> > 	- the computer states that the login is incorrect.
> > 	- the computer requests another logname.

> Would it make sense to ask for the password as well, on the principle of
> not giving information out to nonauthenticated user, including the fact
> that they can't log in? ...

You can configure PAM to do that [cf the beginning of this thread].
However, for an existing user, the contents of "nologin" are printed
out, while for a user that doesn't exist, I believe nothing is printed
out [disclaimer - I don't believe I've specifically tested this, but
that's the way we used to do it].  To the clueful, this would be a clue.

>		      ... Also, if someone has changed uid 0 to be named
> something other than root, would this reveal that fact?

(a) yes.  (b) so?
In any case, "root" shouldn't be allowed to log in on an unsecured line,
which typically means that only the console should allow it.  The
scenario which I included in the note which you cite kind of assumed a
console login.  If you've secured all other lines, then "root" should
give a can't-log-in message whether it's really "root" or not.

Then again, if you think changing the name from "root" gives you any
degree of security - or just is fun to do [Peter Langston called it
"pogo" once] - you might be amused at setting up a "root" login with no
privileges but plenty of warning bells and logging attached.

Joe Yao				jsdy@cais.com - Joseph S. D. Yao

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []