[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Linux-PAM-0.57preC



> Just a note to announce Linux-PAM-0.57preC is available (from my
> pre-release) directory:
...
> * Modified pam_nologin to display the no-login message when the user
>   is not known. The return value in this case is still PAM_USER_UNKNOWN.
>   (Bug report from Cristian Gafton)

Is this the correct behaviour?  On the one hand, you may wish to display
the message in either case, so that a cracker wouldn't be able to tell
whether the user is valid or not.  On the other hand, I believe that the
standard behaviour is to print the message out AFTER login authentica-
tion (logname/password); in that way, the cracker would still get the
same behaviour (login refused) unless he or she has a correct logname
and password - in which case, we can't tell her or him from a "real"
user.

The issue is that an /etc/nologin message may contain downtime
information that the correctly paranoid system administrator doesn't
want the random person off the street to see.

What would it take to make the behaviour admin-selectable in the config
file?  (I suppose I should answer that for myself, in my copious free
time.  ;-) )

Joe Yao				jsdy@cais.com - Joseph S. D. Yao



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []