Bug#932376: libpam-modules: removing nullok_secure from pam_unix

Sat, 20 Jul 2019 08:30:20 -0700 

Package: libpam-modules
Version: 1.3.1-5
Followup-For: Bug #932376

Hello

I have done some research and i found a patch adding support for nullok_secure 
which allows
a passwordless login when the console is listed in /etc/securetty file. I would 
remove this
support by removing 055_pam_unix_nullok_secure patch and removing nullok_secure 
string from
/etc/pam.d/common-auth. The question is if we want to remove this or leave it 
for system admins
to decide. Leaving the nullok_secure will produce unnecessery log messages.
Im adding a patch that changes settings in /etc/pam.d/common-auth. The removal 
of nullok_secure
can be done by removing the 055_pam_unix_nullok_secure patch.

Thank you

Hope this helps

Bye

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-5-amd64 (SMP w/1 CPU core)
Kernel taint flags: TAINT_CRAP
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libpam-modules depends on:
ii  debconf [debconf-2.0]  1.5.72
ii  libaudit1              1:2.8.4-3
ii  libc6                  2.28-10
ii  libdb5.3               5.3.28+dfsg1-0.6
ii  libpam-modules-bin     1.3.1-5
ii  libpam0g               1.3.1-5
ii  libselinux1            2.8-1+b1

libpam-modules recommends no packages.

libpam-modules suggests no packages.

-- debconf information excluded

removing nullok_secure from config file in /etc/pam.d/common-auth because
of planned removal of securetty. If this option is not removed it will cause
a log message in /var/log/auth.log. This log message is not fatal but it will
clog the logs.
Index: pam-1.3.1/debian/pam-configs/unix
===================================================================
--- pam-1.3.1.orig/debian/pam-configs/unix
+++ pam-1.3.1/debian/pam-configs/unix
@@ -3,9 +3,9 @@ Default: yes
 Priority: 256
 Auth-Type: Primary
 Auth:
-       [success=end default=ignore]    pam_unix.so nullok_secure try_first_pass
+       [success=end default=ignore]    pam_unix.so try_first_pass
 Auth-Initial:
-       [success=end default=ignore]    pam_unix.so nullok_secure
+       [success=end default=ignore]    pam_unix.so 
 Account-Type: Primary
 Account:
        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so

Reply via email to