Password aging
Rick Stevens
rstevens at vitalstream.com
Thu Aug 18 22:46:11 UTC 2005
Rick Stevens wrote:
> Allen, Jack wrote:
>
>> Rick Stevens wrote: AH! The lightbulb turns on! I haven't used
>> telnet in a long time and
>> wasn't aware that's what you were doing.
>>
>> First, may I suggest that you disable telnetd immediately. Never use it
>> unless you are behind a really strong firewall and can guarantee the
>> security of your network. The telnet protocol is completely insecure
>> and sends EVERYTHING (including passwords) through in cleartext--which
>> is a bloody horrible idea as you can well imagine!
>>
>> Now, on top of the security issues I mentioned above, all telnetd cares
>> about is whether login validates you or not. Since the account hasn't
>> been disabled, login will approve you and telnet lets you log in. Note,
>> however, that the warnings that login gives are (rather unceremoniously)
>> thrown away by telnetd.
>>
>> If, however, password aging had expired the account (and therefore login
>> would reject you), then telnetd wouldn't let you in either. telnetd is
>> a "pass or fail" system, not a "pass, pass with warnings, or fail"
>> system.
>>
>> Hope that explains it a bit, and sorry about the misunderstanding.
>>
>> ===========
>> I know all about the lack of security with telnet. Our development
>> systems are all behind a very restricted firewall and our product is
>> deployed at our customers behind firewalls. The product requires telnet
>> because of some old terminal emulation with enhancements that has to
>> be used
>> by the users.
>>
>> I don't know exactly how Linux functions as far as telnet and login,
>> but I do know how telnet and login work UNIX systems. The login prompt is
>> presented to the user by the login program which communicates through the
>> telnetd process back through the network. The telnetd process is actually
>> the parent process for login. The login program does all the prompting
>> the
>> user for the login name and their password and does all the validation,
>> password aging checks and so forth. Then it overlays itself with the
>> shell
>> specified in the passwd file. As I said earlier, when I connect via
>> telnet
>> it runs login, when I connect via ssh it also runs login. I checked this
>> when I connected before I even entered a login name. Therefore it
>> seems to
>> me that login is being used by both ways of connecting to the system
>> and it
>> should be the one doing validation and aging checking. If this is true, I
>> still can not figure out why one does aging and the other does not.
>
>
> It's not aging, it's the _warnings_ that login gives about the state of
> the password that aren't propagated through the telnet pipe. I'm not
> 100% sure of this, but if telnetd wasn't built with AUTHENTICATION
> enabled, these messages are ignored, and I don't know how it was built.
>
>> Just as a side question, when is the PAM configuration files in
>> /etc/pam.d used? There is one for password, login, and sshd. I checked
>> the
>> last accessed time on all of them and password and login are never
>> accessed.
>> So what are they there for?
>
>
> Those control what PAM things are required for the named application.
> In other words, /etc/pam.d/passwd controls access regarding the use of
> the /usr/bin/passwd _program_, not access to the /etc/passwd _file_.
> File access is handled by the standard permissions and ACLs.
>
> Similarly, /etc/pam.d/login controls use of the /bin/login program, and
> then only if it's invoked by a user--not by another program (e.g. sshd
> or telnetd). It's assumed that, because another program is invoking it,
> that program has already authenticated in some manner--at least the
> session must be valid. If you look at the differences between the
> /etc/pam.d/sshd and /etc/pam.d/login files, you'll see that sshd's
> requirements for the session portion are less restrictive so it can run
> login.
>
>> Does anyone have the source loaded and can look at login and see if
>> it uses the PAM files or calls other things that may use them or deals
>> with
>> the shadow file and aging directly?
>
>
> login does all that. Again, aging is taking place. You simply don't
> see the warnings that login issues when you use telnet, that's all.
Followup:
telnetd isn't even PAM-aware, so it's entirely possible that it never
checks aging (it doesn't invoke pam_stack.so). login will still fail
if the account is expired, but you won't get any messages.
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer rstevens at vitalstream.com -
- VitalStream, Inc. http://www.vitalstream.com -
- -
- Brain: The organ with which we think that we think. -
----------------------------------------------------------------------
More information about the Redhat-install-list
mailing list