On Wed, Nov 18, 2009 at 6:40 AM, Caleb Cushing <xenoterracide@gmail.com> wrote:
so here's the problem I've discovered http://xenoterracide.blogspot.com/2009/11/bypassing-disabled-accounts-with-k... < links to arch bug included posting here because I believe both kde's and arch's developers responses are less than satisfactory. This is a security bug an easy to fix without making users lives more difficult.
so I'm starting with /etc/pam.d/login
auth required pam_shells.so #add this: why let someone login who has an invalid shells.
/etc/pam.d/kdm # I'm pretty sure it should be 99% the same as login since it allows logins.
#%PAM-1.0 auth requisite pam_nologin.so auth required pam_unix.so nullok auth required pam_shells.so # as my blog says setting an invalid shell is a common way of disabling accounts. auth required pam_tally.so onerr=succeed file=/var/log/faillog # use this to lockout accounts for 10 minutes after 3 failed attempts #auth required pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/ account required pam_access.so account required pam_time.so account required pam_unix.so password required pam_unix.so #password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 ret #password required pam_unix.so md5 shadow use_authtok session required pam_unix.so session required pam_env.so session required pam_limits.so
also I believe pam_tally2 replaces pam_tally may wish to consider migrating (non urgent next release?)
So basically you just need to add "auth required pam_shells.so" to all pam files related to login, correct ? Or what were the other problematic settings of pam.d/kde ? The comments about this being an upstream problem are invalid, as these pam files are all shipped by arch : http://repos.archlinux.org/wsvn/packages/kdebase-workspace/trunk/ http://repos.archlinux.org/wsvn/packages/shadow/trunk/login Note that this problem probably exists with all login managers. For example gdm does not have pam_shells.so either. http://repos.archlinux.org/wsvn/packages/gdm/trunk/ And I am curious to know what the pam settings of other distro are (debian,fedora,gentoo,..). Finally, maybe it makes sense to try keeping all the different pam login files as consistent as possible. But I don't know enough about pam to tell.