[arch-general] pam settings INSECURE
Caleb Cushing
xenoterracide at gmail.com
Wed Nov 18 00:40:38 EST 2009
so here's the problem I've discovered
http://xenoterracide.blogspot.com/2009/11/bypassing-disabled-accounts-with-kdm.html
< links to arch bug included posting here because I believe both kde's
and arch's developers responses are less than satisfactory. This is a
security bug an easy to fix without making users lives more difficult.
so I'm starting with /etc/pam.d/login
auth required pam_shells.so #add this: why let someone login
who has an invalid shells.
/etc/pam.d/kdm # I'm pretty sure it should be 99% the same as login
since it allows logins.
#%PAM-1.0
auth requisite pam_nologin.so
auth required pam_unix.so nullok
auth required pam_shells.so # as my blog says setting an
invalid shell is a common way of disabling accounts.
auth required pam_tally.so onerr=succeed file=/var/log/faillog
# use this to lockout accounts for 10 minutes after 3 failed attempts
#auth required pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/
account required pam_access.so
account required pam_time.so
account required pam_unix.so
password required pam_unix.so
#password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 ret
#password required pam_unix.so md5 shadow use_authtok
session required pam_unix.so
session required pam_env.so
session required pam_limits.so
also I believe pam_tally2 replaces pam_tally may wish to consider
migrating (non urgent next release?)
--
Caleb Cushing
http://xenoterracide.blogspot.com
More information about the arch-general
mailing list