[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian bug 531341


On Tue, Jul 21, 2009 at 04:44:28AM -0500, tallgirl@austin.rr.com wrote:
> >Then I will try to remember this thread when I look again at this bug.
> >Hopefully soon.
> We can summarize the conclusions and post that to the bug.  How does
> that sound?

If the bug is solved this week ,that should be OK.

> The PROPER behavior of pam_securetty is supposed to be that it returns
> "failure" only when the user is "root" and the TTY is not "secure".

This is not the current behavior of pam_securetty.
I filed bug #537848 to ask for the invalid user check to be performed only
in insecure lines.
I do not know when the behavior changed (somewhere around PAM 1.0)

> >This looks similar to a pam_securetty.so configured with:
> >[success=ok new_authtok_reqd=ok user_unknown=ok ignore=ignore default=die]
> That's Greek to me.  Despite repeated requests for funding, I was
> unable to get AIX to use PAM while I was the AIX security architect.
> I understand that the money was finally budgeted and PAM was doing
> more properly since I left that department.

>From pam.conf(5), "requisite" is identical to
[success=ok new_authtok_reqd=ok ignore=ignore default=die]

So I'm just adding that invalid users should be accepted (user_unknown=ok).

As it is still default=die, root's password is not prompted (i.e. other
modules in the PAM stack are not run) on insecure lines.

Best Regards,

Reply to: