[arch-general] pam settings INSECURE

Xavier shiningxc at gmail.com
Wed Nov 18 08:07:39 EST 2009

On Wed, Nov 18, 2009 at 6:40 AM, Caleb Cushing <xenoterracide at gmail.com> wrote:
> so here's the problem I've discovered
> http://xenoterracide.blogspot.com/2009/11/bypassing-disabled-accounts-with-kdm.html
> < links to arch bug included posting here because I believe both kde's
> and arch's developers responses are less than satisfactory. This is a
> security bug an easy to fix without making users lives more difficult.
> so I'm starting with /etc/pam.d/login
> auth        required    pam_shells.so #add this: why let someone login
> who has an invalid shells.
> /etc/pam.d/kdm # I'm pretty sure it should be 99% the same as login
> since it allows logins.
> #%PAM-1.0
> auth        requisite   pam_nologin.so
> auth        required    pam_unix.so nullok
> auth        required    pam_shells.so # as my blog says setting an
> invalid shell is a common way of disabling accounts.
> auth        required    pam_tally.so onerr=succeed file=/var/log/faillog
> # use this to lockout accounts for 10 minutes after 3 failed attempts
> #auth       required    pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/
> account     required    pam_access.so
> account     required    pam_time.so
> account     required    pam_unix.so
> password    required    pam_unix.so
> #password   required    pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 ret
> #password   required    pam_unix.so md5 shadow use_authtok
> session     required    pam_unix.so
> session     required    pam_env.so
> session     required    pam_limits.so
> also I believe pam_tally2 replaces pam_tally may wish to consider
> migrating (non urgent next release?)

So basically you just need to add  "auth        required
pam_shells.so" to all pam files related to login, correct ?
Or what were the other problematic settings of pam.d/kde ?

The comments about this being an upstream problem are invalid, as
these pam files are all shipped by arch :

Note that this problem probably exists with all login managers. For
example gdm does not have pam_shells.so either.

And I am curious to know what the pam settings of other distro are

Finally, maybe it makes sense to try keeping all the different pam
login files as consistent as possible. But I don't know enough about
pam to tell.

More information about the arch-general mailing list