reassign 482352 login severity normal tags 482352 - security thanks Hi Nicholas, * Nicholas Fleisher <[EMAIL PROTECTED]> [2008-05-22 04:43]: [...] > Apologies if I've reported this as too severe: it was dealt with as high > severity in Arch, and seems like a major issue to this layman. Wish I > could tell you more, but as far as I can tell that's the extent of the > problem; everything works just fine if you login with a name that exists > on the system.
Adjusting severity. This is due to /etc/pam.d/login using
auth requisite pam_securetty.so instead of
auth require pam_securetty.so.
However this is a known issue and even documented in the
manual (man pam.conf):
requisite
like required, however, in the case that such a module returns a
failure, control is directly returned to the application. The
return value is that associated with the first required or
requisite module to fail. Note, this flag can be used to protect
against the possibility of a user getting the opportunity to enter
a password over an unsafe medium. It is conceivable that such
behavior might inform an attacker of valid accounts on a system.
This possibility should be weighed against the not insignificant
concerns of exposing a sensitive password in a hostile environment.
Looking at this I don't really see this as a security issue, especially not
as it makes sense to set it to requisite and people can still configure it
different if they want.
Opinions?
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpg726DyP1Re.pgp
Description: PGP signature
