[arch-general] pam settings INSECURE

Caleb Cushing xenoterracide at gmail.com
Wed Nov 18 02:24:55 EST 2009

> Oh no.  It has been 1 day and my "bug" is not fixed! I must blog about it so
> the world listens to me...

also no one has presented a /good/ reason for not fixing it, only
reasons they don't think it should be fixed. you could do abc or d
things that I can think of... but no one has said why security
shouldn't be tighter for kde. what's the negative impact? why aren't
failed logins being logged right now? why can users login if they have
an account but no valid shell? seriously? what's the reason that this
should not be fixed? that there MAY be acceptable alternatives? I
dont' find the GUI option acceptable, because it's too kde specific,
and (probably) doesn't affect a thing if I change login managers. only
one of the options you suggest actually do what I need to do... but
for some reason it didn't take immediate effect when I tried it.

> 1) change password for that user
> 2) put an asterisk "*" at the beginning of the second field (before the
> encrypted password) in the file /etc/shadow.
> 3) set an account expiry date using chage
> 3) userdel is permanent one step procedure that works very well...

also 1 and 2 probably don't affect alternative forms of
authentication... such as key auth, and thus do not effectively
disable the account.

Caleb Cushing


More information about the arch-general mailing list