[arch-general] pam settings INSECURE

Xavier shiningxc at gmail.com
Wed Nov 18 08:07:39 EST 2009


On Wed, Nov 18, 2009 at 6:40 AM, Caleb Cushing <xenoterracide at gmail.com> wrote:
> so here's the problem I've discovered
> http://xenoterracide.blogspot.com/2009/11/bypassing-disabled-accounts-with-kdm.html
> < links to arch bug included posting here because I believe both kde's
> and arch's developers responses are less than satisfactory. This is a
> security bug an easy to fix without making users lives more difficult.
>
> so I'm starting with /etc/pam.d/login
>
> auth        required    pam_shells.so #add this: why let someone login
> who has an invalid shells.
>
>
> /etc/pam.d/kdm # I'm pretty sure it should be 99% the same as login
> since it allows logins.
>
> #%PAM-1.0
> auth        requisite   pam_nologin.so
> auth        required    pam_unix.so nullok
> auth        required    pam_shells.so # as my blog says setting an
> invalid shell is a common way of disabling accounts.
> auth        required    pam_tally.so onerr=succeed file=/var/log/faillog
> # use this to lockout accounts for 10 minutes after 3 failed attempts
> #auth       required    pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/
> account     required    pam_access.so
> account     required    pam_time.so
> account     required    pam_unix.so
> password    required    pam_unix.so
> #password   required    pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 ret
> #password   required    pam_unix.so md5 shadow use_authtok
> session     required    pam_unix.so
> session     required    pam_env.so
> session     required    pam_limits.so
>
> also I believe pam_tally2 replaces pam_tally may wish to consider
> migrating (non urgent next release?)
>

So basically you just need to add  "auth        required
pam_shells.so" to all pam files related to login, correct ?
Or what were the other problematic settings of pam.d/kde ?

The comments about this being an upstream problem are invalid, as
these pam files are all shipped by arch :
http://repos.archlinux.org/wsvn/packages/kdebase-workspace/trunk/
http://repos.archlinux.org/wsvn/packages/shadow/trunk/login

Note that this problem probably exists with all login managers. For
example gdm does not have pam_shells.so either.
http://repos.archlinux.org/wsvn/packages/gdm/trunk/

And I am curious to know what the pam settings of other distro are
(debian,fedora,gentoo,..).

Finally, maybe it makes sense to try keeping all the different pam
login files as consistent as possible. But I don't know enough about
pam to tell.


More information about the arch-general mailing list