Re: Big security hole in (my config of) PAM

To: debian-security@lists.debian.org
Subject: Re: Big security hole in (my config of) PAM
From: Noah Meyerhans <noahm@debian.org>
Date: Mon, 16 Aug 2004 20:29:25 -0400
Message-id: <[🔎] 20040817002925.GE29225@morgul.net>
Mail-followup-to: Noah Meyerhans <noahm@debian.org>, debian-security@lists.debian.org
In-reply-to: <[🔎] 20040816233442.GA18411@freyja.cellform.com>
References: <[🔎] 20040816233442.GA18411@freyja.cellform.com>

On Tue, Aug 17, 2004 at 07:34:42AM +0800, John Darrington wrote:
> Whenever I add the line 
> 
> auth    required       pam_securetty.so

It is not due to this line.

> auth    sufficient      pam_unix.so nullok_secure 

This is the problem.  You are not requiring that people authenticate,
thus an incorrect password will not result in a hard failure.

You need to read the PAM documentation.

noah

Attachment: pgp5641bXh8t9.pgp
Description: PGP signature

Reply to:

References:
- Big security hole in (my config of) PAM
  - From: John Darrington <john@cellform.com.au>

Prev by Date: Big security hole in (my config of) PAM
Next by Date: Re: Static NAT w/ iptables problem
Previous by thread: Big security hole in (my config of) PAM
Next by thread: Re: [WSO Core #5325] [SECURITY] [DSA 538-1] New rsync packages fix unauthorised directory traversal and file access
Index(es):
- Date
- Thread