pam_securetty failure for unknown users on secure ttys
Nicolas François
nekral.lists at gmail.com
Sun Jun 22 20:50:12 UTC 2008
Hi,
On Sat, Jun 21, 2008 at 09:14:27AM +0200, kukuk at suse.de wrote:
>
> On Sat, Jun 21, Nicolas François wrote:
>
> > If the failure were limited to non-secure TTYs, this would limit the
> > probability of such brute force.
>
> But wouldn't a hacker come from a non-secure TTY most of the time?
> And there you would still have the same problem with your suggestion.
> It only helps for the local console, not for network attacks.
Yes. It's far from perfect.
Enforcing a delay in login might be better to protect against brute force
attacks.
> Between, what I use to avoid your problem in /etc/pam.d/login:
>
> auth requisite pam_nologin.so
> auth [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad] pam_securetty.so
> auth include common-auth
Thanks, that's what I will consider.
Best Regards,
--
Nekral
More information about the Pam-list
mailing list