Re: [debian-pam] Web Page for PAM security compromise

[Steve Langasek <vorlon@debian.org>]

On Tue, Jul 28, 2009 at 10:38:21AM -0400, Sam Hartman wrote:
> Here's a draft of a debconf note I've put together ; Steve has not reviewed, and it may change internally.

Here is a revised version of this template which I like better.  Maybe this
one will be final, or maybe Sam will have further corrections. :)

  Template: libpam-runtime/you-had-no-auth
  Type: error
  _Description: Your system allowed access without a password!
   A bug in a previous version of libpam-runtime resulted in no PAM profiles
   being selected for use on this system.  As a result, access was allowed for
   a time to all accounts on your system, with or without a correct password.
   Especially if this system can be accessed from the Internet, it is likely
   that it has been compromised.  Unless you are familiar with recovering from
   security failures, viruses, and malicious software, you should re-install
   this system from scratch or obtain the services of a skilled system
   administrator.  For more information, see:
   .
   http://www.debian.org/security/pam-auth
   .
   The bug that allowed this wrong configuration is fixed in the current
   version of libpam-runtime, and your configuration has now been corrected.
   We apologize that previous versions of libpam-runtime did not detect and
   prevent this situation.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org