Re: Debian bug 531341

To: tallgirl@austin.rr.com
Cc: debian-security@lists.debian.org
Subject: Re: Debian bug 531341
From: Nicolas François <nicolas.francois@centraliens.net>
Date: Tue, 21 Jul 2009 10:30:24 +0200
Message-id: <[🔎] 20090721083024.GA2006@nekral.nekral.homelinux.net>
Mail-followup-to: tallgirl@austin.rr.com, debian-security@lists.debian.org
In-reply-to: <[🔎] 33B2503701ED47DAB57786B55099763B@JuliesDV9K>
References: <E0D7BE0B0FA846589C6E1FF82BF3745A@JuliesDV9K> <[🔎] 20090720222510.GI26355@nekral.nekral.homelinux.net> <[🔎] 33B2503701ED47DAB57786B55099763B@JuliesDV9K>

Hello Julie,

On Mon, Jul 20, 2009 at 07:58:37PM -0500, tallgirl@austin.rr.com wrote:
> 
> I've taken the "bug" e-mail address out of the Cc list -- don't
> think this discussion would be productive there.

Then I will try to remember this thread when I look again at this bug.
Hopefully soon.

> I had a feeling you weren't going to be able to quote a source --
> the interpretation of the requirement is contradicting the clear
> intent of another requirement.  This means the interpretation is
> incorrect.
> 
> The purpose of the "root password doesn't flow on an insecure line"
> isn't to prevent all possible root passwords from flowing on the
> line -- consider the case where the user "rot" does exist, and
> "root" mistypes their password. Your interpretation misses that
> case.  Something is clearly wrong with the interpretation, then.
> 
> The purpose is that the root user cannot sign in over a secure line,
> regardless of whether or not the user knows the correct password.
> There are two (equally valid) approaches --

pam_securetty.so was recently changed to include rejection of invalid
users. So it does not seems to my mis-interpretation but a different
interpretation of what pam_securetty.so is used for.

> 1). The classic solution where root can enter the correct password,
> but the login attempt still reports "login incorrect" because it has
> failed the secure TTYs file test.

This looks like a "required" pam_securetty.so

> 2). A more modern solution where before the password is prompted,
> the attempt is intercepted with a message such as "unauthorized
> user".

I do not really understand solution 2.
You receive an "unauthorized user" only if the user is root.
Valid (but not root) and invalid users are prompted for a password.
Valid (but not root) users with a correct password are allowed to login.

This looks similar to a pam_securetty.so configured with:
[success=ok new_authtok_reqd=ok user_unknown=ok ignore=ignore default=die]

> Depending on your CAPP profile, either may be appropriate -- when I
> was the NSA Vendor Security Analyst for the first several IBM
> security evaluations (I led four, as I recall), I used the more
> classical approach, and that was approved both by the NSA and by
                          ^^^^
"that" is either of solution 1) or 2), or only one of them?

> whatever the German evaluation authority is called (something like
> Government Agency for Security in Information Technologies, only in
> German).  We did TCSEC, ITSEC and CC evaluations, as the different
> schemes all worked their way through the industry.

>From what I understand, you would recommend to change the default
/etc/pam.d/login to use a "required" pam_securetty.so.
Is that correct?

This will cause the password to be asked for, but the login to be rejected
at the end.

> -- Julie Haugh
> creator, Linux Shadow Password Suite.

Thanks a lot for this!

Best Regards,
-- 
Nekral

Reply to:

Follow-Ups:
- Re: Debian bug 531341
  - From: "Julie" <tallgirl@austin.rr.com>

References:
- Re: Debian bug 531341
  - From: Nicolas François <nicolas.francois@centraliens.net>
- Re: Debian bug 531341
  - From: "Julie" <tallgirl@austin.rr.com>

Prev by Date: Re: Debian bug 531341
Next by Date: Re: Debian bug 531341
Previous by thread: Re: Debian bug 531341
Next by thread: Re: Debian bug 531341
Index(es):
- Date
- Thread