[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

PAM and logon failures if username not correct


I am having a problem on a RH4.0 system trying to get dial-up working. The
problem seems to relate to PAM.

Unfortunately, we have PAM 0.50 on the machine, and it is a production
machine, so I have to tread carefully. Upgrading to RH4.2 or 5.0 is not on
the cards for a while yet, but upgrading to the latest PAM support may be
feasible if it does not break too many other things.

The modem setup is being used by a bunch of people with Win95 PCs using
dialup scripts that bring up ppp. These machines are out in the field, and
are hard to recall to fix the scripts. It is also used by people who dial in
manually to do terminal work.

The problems I am having are:

1. If a user gets their username wrong, perhaps because they mistyped, they
are logged out immediately, and the modem drops.

This seems to be because pam_unix_auth treats unknown username specially and
returns with a special status. There seems to be no code in the versions of
PAM that I looked at (0.57) that retry the username and password prompt if
the username does not exist. This seems to pose a small security problem, as
an intruder gets told quickly that they have a bogus username.

2. The prompt string seems to be hard-coded into pam_unix_auth, so any
changes made to gettydefs seem ignored. Is there a way to pass the prompt
strings to PAM?

Any hints would be appreciated.

Richard Sharpe, sharpe@ns.aus.com, Mobile: 0412 214 911
NS Computer Software and Services P/L, 
Ph: +61-8-8281-0063, FAX: +61-8-8250-2080, WWW: http://www.ns.aus.com
Net.Commerce, Apache, NetScappe, ICSS, Linux, DU, AIX, DBI, DB2, LWP,
HylaFAX ...

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []