pam_securetty failure for unknown users on secure ttys
Thorsten Kukuk
kukuk at suse.de
Sun Jun 15 08:18:23 UTC 2008
On Sat, Jun 14, Nicolas François wrote:
> Hello,
>
> On Debian, login uses pam_securetty as a requisite module.
> The reason for this is to fail immediately if the tty is not secure to
> avoid prompting for a password on an insecure line.
>
> In Linux-PAM-0_99_1_0 (pam_securetty.c revision 1.8), the return value of
> the authentication function was changed from PAM_IGNORE to
> PAM_USER_UNKNOWN.
> When pam_securetty is a requisite module, this means that the
> authentication will fail immediately if the user does not exist in the
> system. This might indicate to an attacker that the given user does not
> exist.
If you don't like that, you can overwrite in this case (see pam.conf manual
page).
> What was the rational for changing the return value from PAM_IGNORE to
> PAM_USER_UNKNOWN?
Assume root mistypes his account name, pam_securetty would return
PAM_IGNORE, next module would allow root to correct the user name
and root is able to login on a insecure tty.
> (BTW the pam_securetty's manpage needs an update)
Please make a bug report on sf.net for this, so it does not go lost.
> I would prefer that pam_securetty fails only if the tty is not secure and
> the user is root or unknown.
I fail to see the difference to the current behavior. With your suggestion,
an attacker can also find simple out if the account exists or not.
> And to leave the user authentication / check for validity to the pam_unix
> module.
pam_securetty does neither user authentication nor a check
for validity, it only needs to find out if the user is root.
If it does not know the user, it cannot find out if it is root.
Thorsten
--
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Markus Rex, HRB 16746 (AG Nuernberg)
More information about the Pam-list
mailing list