[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security warning from pam_securetty

Since I have not got any replies in a couple of days, either from the
devel or the user lists, I'll file a bug (btw, can an old bug be
reopened). Any objections or comments?

On Mon, 2004-05-03 at 19:36, Svante Signell wrote:
> Is the bug #243698 in libpam0g really resolved in version 0.76-20? I
> still get the security warnings in my logfiles. What is referred to in
> the changelog.Debian for the null password check: passwd, shadow etc?
> How are these related to the /etc/pam.d/* files. Eg. the
> /etc/pam.d/common-password has the following entry enabled:
> password   required   pam_unix.so nullok obscure min=4 max=8 md5
> An alternate solution is in the same file. Is this solution to prefer? 
> # password required       pam_cracklib.so retry=3 minlen=6 difok=3
> # password required       pam_unix.so use_authtok nullok md5
> If possible, please explain or if possible give a HOWTO- or an
> FAQ-pointer that describes the current pam behaviour. 
> changelog.Debian entry below:
> pam (0.76-20) unstable; urgency=medium
> * Update to patch 55 to only check securetty when we are sure the
> password is null, Closes: #243698
> * Medium urgency because the version now in testing has confusing and
> verbose log messages.
> * Include pam_getenv script which hopefully will be used by some
> people somewhere for some purpose
> -- Sam Hartman <hartmans@debian.org>  Wed, 28 Apr 2004 22:51:18 -0400
> Please Cc: me since I'm not subscribed to debian-user
> On Tue, 2004-04-20 at 15:27, Colin Watson wrote:
> > On Mon, Apr 19, 2004 at 08:57:13PM +0200, Svante Signell wrote:
> >> I find these messages in my logfiles. What has changed recently?
> >> The access to the tty devices is crw-rw---- and owned by root.tty.
> >> sshd[4196]: (pam_securetty) access denied: tty 'ssh' is not secure !
> >> xscreensaver: (pam_securetty) access denied: tty ':0.0' is not secure
> !
> > This is a filed bug against pam.

Reply to: