[Fingerforce-devel] Bug#514349: libpam-thinkfinger: Makes it unable to login as root if no fingerprint is stored for root

Patrick Schoenfeld schoenfeld at debian.org
Fri Feb 6 14:36:44 UTC 2009 

Package: libpam-thinkfinger
Version: 0.3+rev118.2-4
Severity: normal

Hi,

if libpam-thinkfinger is installed, but no fingerprint is stored for root,
no password is requested from the user. In detail:

Once username root is entered a password prompt is shown, but its
impossible to type in a password. Instead a cursor is printed on a new
line and indicates pam checking a password which has never been entered.

Configuration:
psc at lisa / % grep -v '^#' /etc/pam.d/common-auth 
auth	sufficient	pam_thinkfinger.so debug
auth	required	pam_unix.so nullok_secure try_first_pass

This has two effects:
1) With libpam-thinkfinger installed and configured (but no fingerprint
for root) in the usual way its impossible to login as root.

2) People used to get a password prompt (with hidden input) after
entering and confirming a username tend to type in the following
sequence <username><return><password><return> in a fast way. This way
this gets an unwanted information (password) disclosure problem too,
for example if people stand behind you and you type your root password
this way quickly.

Best Regards,
Patrick

-- System Information:
Debian Release: 5.0
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libpam-thinkfinger depends on:
ii  libc6                     2.7-18         GNU C Library: Shared libraries
ii  libpam0g                  1.0.1-5        Pluggable Authentication Modules l
ii  libthinkfinger0           0.3+rev118.2-4 library for the STMicroelectronics

Versions of packages libpam-thinkfinger recommends:
ii  thinkfinger-tools         0.3+rev118.2-4 utilities for the STMicroelectroni
ii  udev                      0.125-7        /dev/ and hotplug management daemo

libpam-thinkfinger suggests no packages.

-- no debconf information

More information about the Fingerforce-devel mailing list