[arch-general] pam settings INSECURE
Xavier
shiningxc at gmail.com
Wed Nov 18 08:07:39 EST 2009
On Wed, Nov 18, 2009 at 6:40 AM, Caleb Cushing <xenoterracide at gmail.com> wrote:
> so here's the problem I've discovered
> http://xenoterracide.blogspot.com/2009/11/bypassing-disabled-accounts-with-kdm.html
> < links to arch bug included posting here because I believe both kde's
> and arch's developers responses are less than satisfactory. This is a
> security bug an easy to fix without making users lives more difficult.
>
> so I'm starting with /etc/pam.d/login
>
> auth required pam_shells.so #add this: why let someone login
> who has an invalid shells.
>
>
> /etc/pam.d/kdm # I'm pretty sure it should be 99% the same as login
> since it allows logins.
>
> #%PAM-1.0
> auth requisite pam_nologin.so
> auth required pam_unix.so nullok
> auth required pam_shells.so # as my blog says setting an
> invalid shell is a common way of disabling accounts.
> auth required pam_tally.so onerr=succeed file=/var/log/faillog
> # use this to lockout accounts for 10 minutes after 3 failed attempts
> #auth required pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/
> account required pam_access.so
> account required pam_time.so
> account required pam_unix.so
> password required pam_unix.so
> #password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 ret
> #password required pam_unix.so md5 shadow use_authtok
> session required pam_unix.so
> session required pam_env.so
> session required pam_limits.so
>
> also I believe pam_tally2 replaces pam_tally may wish to consider
> migrating (non urgent next release?)
>
So basically you just need to add "auth required
pam_shells.so" to all pam files related to login, correct ?
Or what were the other problematic settings of pam.d/kde ?
The comments about this being an upstream problem are invalid, as
these pam files are all shipped by arch :
http://repos.archlinux.org/wsvn/packages/kdebase-workspace/trunk/
http://repos.archlinux.org/wsvn/packages/shadow/trunk/login
Note that this problem probably exists with all login managers. For
example gdm does not have pam_shells.so either.
http://repos.archlinux.org/wsvn/packages/gdm/trunk/
And I am curious to know what the pam settings of other distro are
(debian,fedora,gentoo,..).
Finally, maybe it makes sense to try keeping all the different pam
login files as consistent as possible. But I don't know enough about
pam to tell.
More information about the arch-general
mailing list