[arch-general] pam settings INSECURE
shiningxc at gmail.com
Wed Nov 18 08:07:39 EST 2009
On Wed, Nov 18, 2009 at 6:40 AM, Caleb Cushing <xenoterracide at gmail.com> wrote:
> so here's the problem I've discovered
> < links to arch bug included posting here because I believe both kde's
> and arch's developers responses are less than satisfactory. This is a
> security bug an easy to fix without making users lives more difficult.
> so I'm starting with /etc/pam.d/login
> auth required pam_shells.so #add this: why let someone login
> who has an invalid shells.
> /etc/pam.d/kdm # I'm pretty sure it should be 99% the same as login
> since it allows logins.
> auth requisite pam_nologin.so
> auth required pam_unix.so nullok
> auth required pam_shells.so # as my blog says setting an
> invalid shell is a common way of disabling accounts.
> auth required pam_tally.so onerr=succeed file=/var/log/faillog
> # use this to lockout accounts for 10 minutes after 3 failed attempts
> #auth required pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/
> account required pam_access.so
> account required pam_time.so
> account required pam_unix.so
> password required pam_unix.so
> #password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 ret
> #password required pam_unix.so md5 shadow use_authtok
> session required pam_unix.so
> session required pam_env.so
> session required pam_limits.so
> also I believe pam_tally2 replaces pam_tally may wish to consider
> migrating (non urgent next release?)
So basically you just need to add "auth required
pam_shells.so" to all pam files related to login, correct ?
Or what were the other problematic settings of pam.d/kde ?
The comments about this being an upstream problem are invalid, as
these pam files are all shipped by arch :
Note that this problem probably exists with all login managers. For
example gdm does not have pam_shells.so either.
And I am curious to know what the pam settings of other distro are
Finally, maybe it makes sense to try keeping all the different pam
login files as consistent as possible. But I don't know enough about
pam to tell.
More information about the arch-general