[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Behavior of module that support /etc/nologin



Steve \"Stevers!\" Coile wrote:
> But if the contents of /etc/nologin (if any) are displayed if (and
> only if) the user enters a correct username and password, you've just
> given away that the username/password combination is correct, even if
> the attacker hasn't gained shell account because of the (presumably
> temporary) login restriction.  It seems to me that, in order to be
[...]

This is not the behavior I see.  I guess you are sticking with older
utilities..

I am using SimplePAMApps-0.54-1, pam-0.57-5 and pwdb-0.54-7.  The following
/etc/pam.d/login file yields exactly the behavior I indicated previously:

---------------------------------------------------------------------
#%PAM-1.0
#[For version 1.0 syntax, the above header is optional]
#
# The PAM configuration file for the `login' service
#
auth       required   pam_pwdb.so
auth       required   pam_nologin.so
auth       optional   pam_group.so
auth       optional   pam_mail.so
account    requisite  pam_time.so
account    required   pam_pwdb.so
session    required   pam_pwdb.so
session    optional   pam_lastlog.so \
                debug
password   required   pam_cracklib.so \
                retry=2
password   required   pam_pwdb.so \
                use_authtok
---------------------------------------------------------------------

I hope this helps

Andrew
-- 
               Linux-PAM, libpwdb, Orange-Linux and Linux-GSS
                  http://parc.power.net/morgan/index.html
       [ For those that prefer FTP  ---  ftp://ftp.lalug.org/morgan ]



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []