[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Any Account Logs In With Any Password

Don't want to sound flame bait but...

This is just a typical pebkac problem. As an admin you are always able to remove authentication from a system no matter how "safe" the failsafe is. 

How about: don't experiment with stuff that you don't fully understand?

The original post was about doing something that totally breaks the security of the system. If you move this function elsewhere, he might have changed that too!

PAM is well documented and used everywhere.

A bug magnet

On Oct 27, 2010, at 17:05, Henrique de Moraes Holschuh <hmh@debian.org> wrote:

> On Mon, 25 Oct 2010, Michael Loftis wrote:
>> checks prior to this indicate a soft success.  If you remove
>> authentication from your system, its expected that any attempt to
>> access will pass, barring and specific denial.
> If I remove authentication from my system, I expect it to tell me to get
> lost, as that is the _only_ safe failure scenario.  Recovery is supposed to
> be done through single-user mode and sulogin in that case (if you don't have
> a root window already open somewhere, that is).
> This fail-unsafe behaviour looks like it is a "feature" of the default
> config being shipped in /etc/pam.d/common-*.  I wonder what is the
> justification behind that decision...
> -- 
>  "One disk to rule them all, One disk to find them. One disk to bring
>  them all and in the darkness grind them. In the Land of Redmond
>  where the shadows lie." -- The Silicon Valley Tarot
>  Henrique Holschuh
> -- 
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: [🔎] 20101027210533.GB27847@khazad-dum.debian.net">http://lists.debian.org/[🔎] 20101027210533.GB27847@khazad-dum.debian.net

Reply to: