Re: Debian bug 531341
On Tue, Jul 21, 2009 at 04:44:28AM -0500, firstname.lastname@example.org wrote:
> >Then I will try to remember this thread when I look again at this bug.
> >Hopefully soon.
> We can summarize the conclusions and post that to the bug. How does
> that sound?
If the bug is solved this week ,that should be OK.
> The PROPER behavior of pam_securetty is supposed to be that it returns
> "failure" only when the user is "root" and the TTY is not "secure".
This is not the current behavior of pam_securetty.
I filed bug #537848 to ask for the invalid user check to be performed only
in insecure lines.
I do not know when the behavior changed (somewhere around PAM 1.0)
> >This looks similar to a pam_securetty.so configured with:
> >[success=ok new_authtok_reqd=ok user_unknown=ok ignore=ignore default=die]
> That's Greek to me. Despite repeated requests for funding, I was
> unable to get AIX to use PAM while I was the AIX security architect.
> I understand that the money was finally budgeted and PAM was doing
> more properly since I left that department.
>From pam.conf(5), "requisite" is identical to
[success=ok new_authtok_reqd=ok ignore=ignore default=die]
So I'm just adding that invalid users should be accepted (user_unknown=ok).
As it is still default=die, root's password is not prompted (i.e. other
modules in the PAM stack are not run) on insecure lines.