[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Linux-PAM-0.57preC



In continuing of discussion about pam_nologin I have two notes.

The first: if your pam config file contains
	requisite	pam_nologin.so
	required	pam_pwdb.so
then /etc/nologin message will be displayed in both cases: when user
enter correct username/password and when not.

If you write
	requisite	pam_pwdb.so
	required	pam_nologin.so
then /etc/nologin will be displayed only for valid logins.

In pam.conf from ftp://sysadm.sorosis.ro/pub/devel/pam/pam-0.57-3.i386.rpm
the following is written:
	login   auth       requisite    /lib/security/pam_securetty.so
	login   auth       required     /lib/security/pam_pwdb.so shadow md5 nullok
	login   auth       requisite    /lib/security/pam_nologin.so

Is this a misprint or I don't understand something?

The second: with a little surprise I found that login program from
util-linux-2.5-33.i386.rpm (distributed in Red Hat 4.1) allows to hacker
to know if a name is a valid username in any case.
Compare:

--------------------

castle login: abc
Password:

Login incorrect

castle login:

--------------------

castle login: saw
Password:
Login incorrect

Please enter username:

--------------------


I made a little patch solving the problem (see the end of the letter or
ftp://castle.nmd.msu.ru/pub/Linux/patches/
ftp://castle.nmd.msu.ru/pub/Linux/RPMS/util-linux-2.5-33s1.i386.rpm
ftp://castle.nmd.msu.ru/pub/Linux/SRPMS/util-linux-2.5-33s1.src.rpm
binary package is signed by saw@msu.ru, fingerprint is
7D D3 BB 04 AD 68 60 7C  F1 4C 2E FC 63 3A C8 2F)

Now I want to open a new topic for discussion:
in which case retry for asking a password is reasonable?
(retcode == PAM_AUTH_ERR is obvious incorrect, what about
retcode == PAM_AUTH_ERR || retcode == PAM_USER_UNKNOWN?)


					Andrey V.
					Savochkin


--- util-linux-2.5/login-utils/login.c.dist	Wed Mar  5 16:24:10 1997
+++ util-linux-2.5/login-utils/login.c	Wed Mar  5 16:27:03 1997
@@ -450,7 +450,7 @@
 	  int failcount=0;
 	  retcode = pam_authenticate(pamh, 0);
 	  while((failcount++ < MAX_LOGIN_TRIES)
-		&& (retcode == PAM_AUTH_ERR)) {
+		&& (retcode == PAM_AUTH_ERR || retcode == PAM_USER_UNKNOWN)) {
 	    pam_get_item(pamh, PAM_USER, (const void **) &username);
 	    syslog(LOG_NOTICE,"%d FAILED LOGINS FROM %s FOR %s, %s",
 		   failcount, hostname,username,pam_strerror(retcode));



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []