Re: Security warnings from pam_securetty?
On Fri, 2004-04-30 at 08:55, Svante Signell wrote: Is the bug #243698 in libpam0g really resolved in version 0.76-20? I still get the security warnings in my logfiles. What is referred to in the changelog.Debian for the null password check: passwd, shadow etc? How are these related to the /etc/pam.d/* files. Eg. the /etc/pam.d/common-password has the following entry enabled: password required pam_unix.so nullok obscure min=4 max=8 md5 An alternate solution is in the same file. Is this solution to prefer? # password required pam_cracklib.so retry=3 minlen=6 difok=3 # password required pam_unix.so use_authtok nullok md5 If possible, please explain or if possible give a HOWTO- or an FAQ- pointer that describes the current pam behaviour. changelog.Debian entry below: pam (0.76-20) unstable; urgency=medium * Update to patch 55 to only check securetty when we are sure the password is null, Closes: #243698 * Medium urgency because the version now in testing has confusing and verbose log messages. * Include pam_getenv script which hopefully will be used by some peoplesomewhere for some purpose -- Sam Hartman [EMAIL PROTECTED] Wed, 28 Apr 2004 22:51:18 -0400 Please Cc: me since I'm not subscribed to debian-user On Tue, 2004-04-20 at 15:27, Colin Watson wrote: On Mon, Apr 19, 2004 at 08:57:13PM +0200, Svante Signell wrote: I find these messages in my logfiles. What has changed recently? The access to the tty devices is crw-rw and owned by root.tty. sshd[4196]: (pam_securetty) access denied: tty 'ssh' is not secure ! xscreensaver: (pam_securetty) access denied: tty ':0.0' is not secure ! This is a filed bug against pam. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Security warnings from pam_securetty?
On Mon, Apr 19, 2004 at 08:57:13PM +0200, Svante Signell wrote: I find these messages in my logfiles. What has changed recently? The access to the tty devices is crw-rw and owned by root.tty. sshd[4196]: (pam_securetty) access denied: tty 'ssh' is not secure ! xscreensaver: (pam_securetty) access denied: tty ':0.0' is not secure ! The purpose of securetty is to ensure that root can only login from terminals(normally only the console) to prevent dangerous logins e.g. login via telnet. It has nothing to do with permissions (if you are root they don't exacly matter anyway). See: /etc/securetty man 5 securetty /etc/pam.d man 7 pam I'd suggest removing the pam_securetty lines from pam.d/ssh and xscreensaver. I can't think of any security problems to that off the top of my head. Please cc: me since I'm not subscribed to the list. Done Brian -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Security warnings from pam_securetty?
On Mon, Apr 19, 2004 at 08:57:13PM +0200, Svante Signell wrote: I find these messages in my logfiles. What has changed recently? The access to the tty devices is crw-rw and owned by root.tty. sshd[4196]: (pam_securetty) access denied: tty 'ssh' is not secure ! xscreensaver: (pam_securetty) access denied: tty ':0.0' is not secure ! This is a filed bug against pam. -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Security warnings from pam_securetty?
I find these messages in my logfiles. What has changed recently? The access to the tty devices is crw-rw and owned by root.tty. sshd[4196]: (pam_securetty) access denied: tty 'ssh' is not secure ! xscreensaver: (pam_securetty) access denied: tty ':0.0' is not secure ! Please cc: me since I'm not subscribed to the list. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]