Re: less secure login
On Thu, Apr 30, 2009 at 10:10:41PM +0100, Christian Koerner wrote:
> David Jardine wrote:
>> When logging into a console under squeeze, a false user name is now
>> rejected immediately. Up to recently there was no reaction to a false
>> user name until the password had been entered.
>> Although I personally find the new behaviour more convenient, it seems
>> to me less secure to give an intruder feedback on his guess at the user
>> name before he goes on to guessing the password.
>> I couldn't find anything relevant to the change in the docs under
>> /usr/share/doc/login - but I don't even know that that's the right
>> place to look.
>> Is this a bug or a supposed feature? And which package is involved?
> Not sure if you are looking for that, but have a look in /etc/pam.d/login:
> # Disallows root logins except on tty's listed in /etc/securetty
> # (Replaces the `CONSOLE' setting from login.defs)
> # Note that it is included as a "requisite" module. No password prompts will
> # be displayed if this module fails to avoid having the root password
> # transmitted on unsecure ttys.
> # You can change it to a "required" module if you think it permits to
> # guess valid user names of your system (invalid user names are considered
> # as possibly being root).
> auth requisite pam_securetty.so
That was exactly it! Changing 'requisite' to 'required' reverts it
to the old behaviour.
Thanks a lot, Christian.
"Running Debian/GNU Linux and
loving every minute of it." -L. von Sacher-M. (1835-1895)