Re: Root login

To: Roger Bumgarner <roger.bumgarner@gmail.com>
Cc: François Cerbelle <francois@cerbelle.net>, debian-security@lists.debian.org
Subject: Re: Root login
From: Simon Valiquette <v.simon@ieee.org>
Date: Sun, 14 Sep 2008 11:20:09 -0400
Message-id: <[🔎] 48CD2BA9.4000708@ieee.org>
In-reply-to: <[🔎] 235a4bf70809130459v29fff5f5s3a83ff67e77cc2a5@mail.gmail.com>
References: <[🔎] 48BF9844.3040001@vodafone.it> <[🔎] 200809041325.13553.krzywicki.pawel@gmail.com> <[🔎] 20080904144754.35fb0014@halmanfloyd.lan.local> <[🔎] 48C50641.9070503@gryzor.com> <[🔎] slrngcmae3.5b9.keeling@phreaque.nucleus.com> <[🔎] 23086.83.206.128.14.1221294035.squirrel@webmail.cerbelle.net> <[🔎] 235a4bf70809130459v29fff5f5s3a83ff67e77cc2a5@mail.gmail.com>

Roger Bumgarner un jour écrivit:

I just tested this behavior on my Lenny/Sid workstation and Etch
server... frightening indeed! Lenny does spit out an error whereas
Etch still gives a password prompt.

Well, It is not that bad as It is usualy only exploitable localy. Butstill certainly not the best behavior.

Also, It allows to guess if some application have been installedwithout loggin in, because some application creates a user in /etc/passwd

however, since this happens at the login shell, I'd be more concerned
about a user booting a liveCD. I assume SSH still behaves correctly?
can someone verify?

It is all configured in PAM, and ssh use a different config file so Itis not affected.

To restore the original behaviour, just modify the file/etc/pam.d/login by replacing the following line by the second:


#auth	requisite	pam_securetty.so
auth	required	pam_securetty.so

or even better (on a single line):

auth [success=ok new_authtok_reqd=ok ignore=ignore auth_err=dieservice_err=die default=ignore] pam_securetty.so


  You can look at man pam.d (5) and pam_securetty to understand
what It changes.

With the Lenny behaviour, someone who attempt by mistake to login asroot when using a tty (or equivalent) that has not been marked as trustedin /etc/securetty will be prevented to enter the root password (actuallyjust strongly discouraged).

With the old behaviour, he/she would still have been able to type inhis password using a potentially untrusted channel, before seeing hislogin attempt being denied anyway.



  My guess is what they really wanted to do was something like the following:

auth [success=ok new_authtok_reqd=ok ignore=ignore auth_err=dieservice_err=die default=ignore] pam_securetty.so

I only made some quick tests by disabling one tty in securetty, so youshould check It before trusting that It works as intended.


Simon Valiquette

Reply to:

Follow-Ups:
- Re: Root login
  - From: Simon Valiquette <v.simon@ieee.org>

References:
- Root login
  - From: "kishore@vodafone.it" <kishore@vodafone.it>
- Re: Root login
  - From: Paweł Krzywicki <krzywicki.pawel@googlemail.com>
- Re: Root login
  - From: Marek Kubica <marek@xivilization.net>
- Re: Root login
  - From: Vincent Deffontaines <vincent@gryzor.com>
- Re: Root login
  - From: "s. keeling" <keeling@nucleus.com>
- Re: Root login
  - From: François Cerbelle <francois@cerbelle.net>
- Re: Root login
  - From: "Roger Bumgarner" <roger.bumgarner@gmail.com>

Prev by Date: Re: Root login
Next by Date: Re: apt-get not upgrading kernel
Previous by thread: Re: Root login
Next by thread: Re: Root login
Index(es):
- Date
- Thread