[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: [Pkg-shadow-devel] pam_securetty failure for unknown users on secure ttys

From: Nicolas François <nekral lists gmail com>
To: pam-list redhat com, pkg-shadow-devel lists alioth debian org
Cc:
Subject: Re: [Pkg-shadow-devel] pam_securetty failure for unknown users on secure ttys
Date: Sat, 21 Jun 2008 00:53:55 +0200

Hello Thorsten,

Do you think unknown users should be denied by pam_securetty on secure
TTYs?
(whether its a mistyped regular user, a mistyped root user, or a non
existing user).

On debian, login does not enforce any PAM delay (the reason was to let the
configuration of delays to PAM (instead of PAM + login.defs), and also
because delays are used to avoid brute force attack - and modules like
pam_securetty or pam_nologin do not need to be protected against brute
force attacks and can lead to an immediate failure)

With the current pam_securetty failures on secure TTYs, it is possible to
brute force usernames via login.

If the failure were limited to non-secure TTYs, this would limit the
probability of such brute force.

Best Regards,
-- 
Nekral

Follow-Ups:
- Re: [Pkg-shadow-devel] pam_securetty failure for unknown users on secure ttys
  - From: Thorsten Kukuk

References:
- pam_securetty failure for unknown users on secure ttys
  - From: Nicolas François
- Re: pam_securetty failure for unknown users on secure ttys
  - From: Thorsten Kukuk
- Re: [Pkg-shadow-devel] pam_securetty failure for unknown users on secure ttys
  - From: Nicolas François

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]