Re: [debian-pam] Web Page for PAM security compromise
- To: Sam Hartman <hartmans@debian.org>
- Cc: debian-www@lists.debian.org, don@debian.org, pkg-pam-devel@lists.alioth.debian.org, weasel@debian.org, joeyh@debian.org, madduck@debian.org
- Subject: Re: [debian-pam] Web Page for PAM security compromise
- From: Steve Langasek <vorlon@debian.org>
- Date: Tue, 4 Aug 2009 16:35:22 +0100
- Message-id: <[🔎] 20090804153521.GB5148@dario.dodds.net>
- Mail-followup-to: Steve Langasek <vorlon@debian.org>, Sam Hartman <hartmans@debian.org>, debian-www@lists.debian.org, don@debian.org, pkg-pam-devel@lists.alioth.debian.org, weasel@debian.org, joeyh@debian.org, madduck@debian.org
- In-reply-to: <tslws5sna8y.fsf@mit.edu>
- References: <tslws5sna8y.fsf@mit.edu>
On Tue, Jul 28, 2009 at 10:38:21AM -0400, Sam Hartman wrote:
> Here's a draft of a debconf note I've put together ; Steve has not reviewed, and it may change internally.
Here is a revised version of this template which I like better. Maybe this
one will be final, or maybe Sam will have further corrections. :)
Template: libpam-runtime/you-had-no-auth
Type: error
_Description: Your system allowed access without a password!
A bug in a previous version of libpam-runtime resulted in no PAM profiles
being selected for use on this system. As a result, access was allowed for
a time to all accounts on your system, with or without a correct password.
Especially if this system can be accessed from the Internet, it is likely
that it has been compromised. Unless you are familiar with recovering from
security failures, viruses, and malicious software, you should re-install
this system from scratch or obtain the services of a skilled system
administrator. For more information, see:
.
http://www.debian.org/security/pam-auth
.
The bug that allowed this wrong configuration is fixed in the current
version of libpam-runtime, and your configuration has now been corrected.
We apologize that previous versions of libpam-runtime did not detect and
prevent this situation.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org
Reply to: