[arch-general] pam settings INSECURE

Allan McRae allan at archlinux.org
Wed Nov 18 00:56:55 EST 2009


Caleb Cushing wrote:
> so here's the problem I've discovered
> http://xenoterracide.blogspot.com/2009/11/bypassing-disabled-accounts-with-kdm.html
> < links to arch bug included posting here because I believe both kde's
> and arch's developers responses are less than satisfactory. This is a
> security bug an easy to fix without making users lives more difficult.

Oh no.  It has been 1 day and my "bug" is not fixed! I must blog about 
it so the world listens to me...


"I shouldn't have to disable an account in more than 1 way to disable it 
across the board."

Let see... one step procedures for disabling the user account

1) change password for that user
2) put an asterisk "*" at the beginning of the second field (before the 
encrypted password) in the file /etc/shadow.
3) set an account expiry date using chage
3) userdel is permanent one step procedure that works very well...

#2 is my preferred.

Allan


More information about the arch-general mailing list