[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: less secure login

On Thu, Apr 30, 2009 at 10:10:41PM +0100, Christian Koerner wrote:
> David Jardine wrote:
>> When logging into a console under squeeze, a false user name is now
>> rejected immediately.  Up to recently there was no reaction to a false 
>> user name until the password had been entered.
>>
>> Although I personally find the new behaviour more convenient, it seems 
>> to me less secure to give an intruder feedback on his guess at the user 
>> name before he goes on to guessing the password.
>>
>> I couldn't find anything relevant to the change in the docs under  
>> /usr/share/doc/login - but I don't even know that that's the right  
>> place to look.
>>
>> Is this a bug or a supposed feature?  And which package is involved?
>>
>
> Not sure if you are looking for that, but have a look in /etc/pam.d/login:
> ...
> # Disallows root logins except on tty's listed in /etc/securetty
> # (Replaces the `CONSOLE' setting from login.defs)
> # Note that it is included as a "requisite" module. No password prompts will
> # be displayed if this module fails to avoid having the root password
> # transmitted on unsecure ttys.
> # You can change it to a "required" module if you think it permits to
> # guess valid user names of your system (invalid user names are considered
> # as possibly being root).
> auth       requisite  pam_securetty.so
> ...

That was exactly it!  Changing 'requisite' to 'required' reverts it 
to the old behaviour.

Thanks a lot, Christian.

Cheers,
David

-- 
"Running Debian/GNU Linux and
loving every minute of it." -L. von Sacher-M. (1835-1895)
Reply to: