Password aging

Rick Stevens rstevens at vitalstream.com
Thu Aug 18 22:40:19 UTC 2005 

Allen, Jack wrote:
> Rick Stevens wrote: 
> AH!  The lightbulb turns on!  I haven't used telnet in a long time and
> wasn't aware that's what you were doing.
> 
> First, may I suggest that you disable telnetd immediately.  Never use it
> unless you are behind a really strong firewall and can guarantee the
> security of your network.  The telnet protocol is completely insecure
> and sends EVERYTHING (including passwords) through in cleartext--which
> is a bloody horrible idea as you can well imagine!
> 
> Now, on top of the security issues I mentioned above, all telnetd cares
> about is whether login validates you or not.  Since the account hasn't
> been disabled, login will approve you and telnet lets you log in.  Note,
> however, that the warnings that login gives are (rather unceremoniously)
> thrown away by telnetd.
> 
> If, however, password aging had expired the account (and therefore login
> would reject you), then telnetd wouldn't let you in either.  telnetd is
> a "pass or fail" system, not a "pass, pass with warnings, or fail"
> system.
> 
> Hope that explains it a bit, and sorry about the misunderstanding.
> 
> ===========
> 	I know all about the lack of security with telnet. Our development
> systems are all behind a very restricted firewall and our product is
> deployed at our customers behind firewalls. The product requires telnet
> because of some old terminal emulation with enhancements that has to be used
> by the users.
> 
> 	I don't know exactly how Linux functions as far as telnet and login,
> but I do know how telnet and login work UNIX systems. The login prompt is
> presented to the user by the login program which communicates through the
> telnetd process back through the network. The telnetd process is actually
> the parent process for login. The login program does all the prompting the
> user for the login name and their password and does all the validation,
> password aging checks and so forth. Then it overlays itself with the shell
> specified in the passwd file. As I said earlier, when I connect via telnet
> it runs login, when I connect via ssh it also runs login. I checked this
> when I connected before I even entered a login name. Therefore it seems to
> me that login is being used by both ways of connecting to the system and it
> should be the one doing validation and aging checking. If this is true, I
> still can not figure out why one does aging and the other does not.

It's not aging, it's the _warnings_ that login gives about the state of
the password that aren't propagated through the telnet pipe.  I'm not
100% sure of this, but if telnetd wasn't built with AUTHENTICATION
enabled, these messages are ignored, and I don't know how it was built.

> 	Just as a side question, when is the PAM configuration files in
> /etc/pam.d used? There is one for password, login, and sshd. I checked the
> last accessed time on all of them and password and login are never accessed.
> So what are they there for?

Those control what PAM things are required for the named application.
In other words, /etc/pam.d/passwd controls access regarding the use of
the /usr/bin/passwd _program_, not access to the /etc/passwd _file_.
File access is handled by the standard permissions and ACLs.

Similarly, /etc/pam.d/login controls use of the /bin/login program, and
then only if it's invoked by a user--not by another program (e.g. sshd
or telnetd).  It's assumed that, because another program is invoking it,
that program has already authenticated in some manner--at least the
session must be valid.  If you look at the differences between the
/etc/pam.d/sshd and /etc/pam.d/login files, you'll see that sshd's
requirements for the session portion are less restrictive so it can run
login.

> 	Does anyone have the source loaded and can look at login and see if
> it uses the PAM files or calls other things that may use them or deals with
> the shadow file and aging directly?

login does all that.  Again, aging is taking place.  You simply don't
see the warnings that login issues when you use telnet, that's all.
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-  Time: Nature's way of keeping everything from happening at once.  -
----------------------------------------------------------------------

More information about the Redhat-install-list mailing list