Re: Any Account Logs In With Any Password

To: debian-security@lists.debian.org
Subject: Re: Any Account Logs In With Any Password
From: Henrique de Moraes Holschuh <hmh@debian.org>
Date: Wed, 27 Oct 2010 19:05:33 -0200
Message-id: <[🔎] 20101027210533.GB27847@khazad-dum.debian.net>
In-reply-to: <85DB4032FBDB47DBEC79C87E@[192.168.1.66]>
References: <[🔎] 4CC5F3C3.5020502@vt.edu> <85DB4032FBDB47DBEC79C87E@[192.168.1.66]>

On Mon, 25 Oct 2010, Michael Loftis wrote:
> checks prior to this indicate a soft success.  If you remove
> authentication from your system, its expected that any attempt to
> access will pass, barring and specific denial.

If I remove authentication from my system, I expect it to tell me to get
lost, as that is the _only_ safe failure scenario.  Recovery is supposed to
be done through single-user mode and sulogin in that case (if you don't have
a root window already open somewhere, that is).

This fail-unsafe behaviour looks like it is a "feature" of the default
config being shipped in /etc/pam.d/common-*.  I wonder what is the
justification behind that decision...

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to:

Follow-Ups:
- Re: Any Account Logs In With Any Password
  - From: Brad Tilley <brad@16systems.com>
- Re: Any Account Logs In With Any Password
  - From: Luis M <lemsx1@gmail.com>
- Re: Any Account Logs In With Any Password
  - From: Jordon Bedwell <jordon@envygeeks.com>

References:
- Any Account Logs In With Any Password
  - From: Brad Tilley <rtilley@vt.edu>
- Re: Any Account Logs In With Any Password
  - From: Michael Loftis <mloftis@wgops.com>

Prev by Date: Re: Any Account Logs In With Any Password
Next by Date: Re: Any Account Logs In With Any Password
Previous by thread: Re: Any Account Logs In With Any Password
Next by thread: Re: Any Account Logs In With Any Password
Index(es):
- Date
- Thread