[arch-general] pam settings INSECURE

Caleb Cushing xenoterracide at gmail.com
Wed Nov 18 00:40:38 EST 2009

so here's the problem I've discovered
< links to arch bug included posting here because I believe both kde's
and arch's developers responses are less than satisfactory. This is a
security bug an easy to fix without making users lives more difficult.

so I'm starting with /etc/pam.d/login

auth        required    pam_shells.so #add this: why let someone login
who has an invalid shells.

/etc/pam.d/kdm # I'm pretty sure it should be 99% the same as login
since it allows logins.

auth        requisite   pam_nologin.so
auth        required    pam_unix.so nullok
auth        required    pam_shells.so # as my blog says setting an
invalid shell is a common way of disabling accounts.
auth        required    pam_tally.so onerr=succeed file=/var/log/faillog
# use this to lockout accounts for 10 minutes after 3 failed attempts
#auth       required    pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/
account     required    pam_access.so
account     required    pam_time.so
account     required    pam_unix.so
password    required    pam_unix.so
#password   required    pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 ret
#password   required    pam_unix.so md5 shadow use_authtok
session     required    pam_unix.so
session     required    pam_env.so
session     required    pam_limits.so

also I believe pam_tally2 replaces pam_tally may wish to consider
migrating (non urgent next release?)

Caleb Cushing


More information about the arch-general mailing list