pam_securetty failure for unknown users on secure ttys

Thorsten Kukuk kukuk at suse.de
Sun Jun 15 08:18:23 UTC 2008


On Sat, Jun 14, Nicolas François wrote:

> Hello,
> 
> On Debian, login uses pam_securetty as a requisite module.
> The reason for this is to fail immediately if the tty is not secure to
> avoid prompting for a password on an insecure line.
> 
> In Linux-PAM-0_99_1_0 (pam_securetty.c revision 1.8), the return value of
> the authentication function was changed from PAM_IGNORE to
> PAM_USER_UNKNOWN.
> When pam_securetty is a requisite module, this means that the
> authentication will fail immediately if the user does not exist in the
> system. This might indicate to an attacker that the given user does not
> exist.

If you don't like that, you can overwrite in this case (see pam.conf manual
page).
 
> What was the rational for changing the return value from PAM_IGNORE to
> PAM_USER_UNKNOWN?

Assume root mistypes his account name, pam_securetty would return
PAM_IGNORE, next module would allow root to correct the user name
and root is able to login on a insecure tty.

> (BTW the pam_securetty's manpage needs an update)

Please make a bug report on sf.net for this, so it does not go lost.

> I would prefer that pam_securetty fails only if the tty is not secure and
> the user is root or unknown.

I fail to see the difference to the current behavior. With your suggestion,
an attacker can also find simple out if the account exists or not.

> And to leave the user authentication / check for validity to the pam_unix
> module.

pam_securetty does neither user authentication nor a check
for validity, it only needs to find out if the user is root.
If it does not know the user, it cannot find out if it is root.

  Thorsten

-- 
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Markus Rex, HRB 16746 (AG Nuernberg)




More information about the Pam-list mailing list