[Pkg-shadow-commits] r3113 - debian/trunk/debian

Christian Perrier bubulle at alioth.debian.org
Tue Mar 16 06:59:47 UTC 2010 

Author: bubulle
Date: 2010-03-16 06:59:46 +0000 (Tue, 16 Mar 2010)
New Revision: 3113

Modified:
   debian/trunk/debian/changelog
   debian/trunk/debian/login.pam
Log:
Revert pam_securetty to "requisite"


Modified: debian/trunk/debian/changelog
===================================================================
--- debian/trunk/debian/changelog	2010-03-15 10:11:01 UTC (rev 3112)
+++ debian/trunk/debian/changelog	2010-03-16 06:59:46 UTC (rev 3113)
@@ -17,6 +17,10 @@
   * debian/login.defs: Improve documentation of USERGROUPS_ENAB.
     Closes: #572687
   * debian/rules: Added DEB_AUTO_UPDATE_LIBTOOL = pre. Closes: #560633
+  * debian/login.pam: return back to "requisite" for the pam_securetty
+    PAM module. It's more important to avoid root logins over insecure
+    terminals than having a very hypothetical attack based on sniffing
+    incorrect usernames, followed by a brute force attack.
 
  -- Nicolas FRANCOIS (Nekral) <nicolas.francois at centraliens.net>  Sun, 24 Jan 2010 18:28:33 +0100
 

Modified: debian/trunk/debian/login.pam
===================================================================
--- debian/trunk/debian/login.pam	2010-03-15 10:11:01 UTC (rev 3112)
+++ debian/trunk/debian/login.pam	2010-03-16 06:59:46 UTC (rev 3113)
@@ -14,11 +14,13 @@
 
 # Disallows root logins except on tty's listed in /etc/securetty
 # (Replaces the `CONSOLE' setting from login.defs)
-# Note that it is included as a "required" module. root will be
-# prompted for a password on insecure ttys.
-# If you change it to a "requisite" module, make sure this does not leak
-# user name information.
-auth       required  pam_securetty.so
+# Note that it is included as a "requisite" module. No password prompts will
+# be displayed if this module fails to avoid having the root password
+# transmitted on unsecure ttys.
+# You can change it to a "required" module if you think it permits to
+# guess valid user names of your system (invalid user names are considered
+# as possibly being root).
+auth       requisite  pam_securetty.so
 
 # Disallows other than root logins when /etc/nologin exists
 # (Replaces the `NOLOGINS_FILE' option from login.defs)

More information about the Pkg-shadow-commits mailing list