[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: pam_securetty failure for unknown users on secure ttys

From: Nicolas François <nekral lists gmail com>
To: pam-list redhat com, pkg-shadow-devel lists alioth debian org
Cc:
Subject: Re: pam_securetty failure for unknown users on secure ttys
Date: Sun, 22 Jun 2008 22:50:12 +0200

Hi,

On Sat, Jun 21, 2008 at 09:14:27AM +0200, kukuk suse de wrote:
> 
> On Sat, Jun 21, Nicolas François wrote:
> 
> > If the failure were limited to non-secure TTYs, this would limit the
> > probability of such brute force.
> 
> But wouldn't a hacker come from a non-secure TTY most of the time?
> And there you would still have the same problem with your suggestion.
> It only helps for the local console, not for network attacks.

Yes. It's far from perfect.
Enforcing a delay in login might be better to protect against brute force
attacks.

> Between, what I use to avoid your problem in /etc/pam.d/login:
> 
> auth     requisite      pam_nologin.so
> auth     [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad]        pam_securetty.so
> auth     include        common-auth

Thanks, that's what I will consider.

Best Regards,
-- 
Nekral

References:
- pam_securetty failure for unknown users on secure ttys
  - From: Nicolas François
- Re: pam_securetty failure for unknown users on secure ttys
  - From: Thorsten Kukuk
- Re: [Pkg-shadow-devel] pam_securetty failure for unknown users on secure ttys
  - From: Nicolas François
- Re: [Pkg-shadow-devel] pam_securetty failure for unknown users on secure ttys
  - From: Nicolas François
- Re: [Pkg-shadow-devel] pam_securetty failure for unknown users on secure ttys
  - From: Thorsten Kukuk

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]