Package: libpam-runtime
Version: 1.3.1-5
Severity: normal
The default auth configuration in /usr/share/pam-configs/unix includes
this:
Auth:
[success=end default=ignore] pam_unix.so nullok_secure try_first_pass
Auth-Initial:
[success=end default=ignore] pam_unix.so nullok_secure
According to pam_unix(8):
> nullok_secure
> The default action of this module is to not permit the user
> access to a service if their official password is blank. The
> nullok_secure argument overrides this default and allows any
> user with a blank password to access the service as long as
> the value of PAM_TTY is set to one of the values found in
> /etc/securetty.
This results in warning messages like these on screen unlock or other
uses of auth:
Aug 29 08:58:24 s gdm-password][2898]: pam_unix(gdm-password:auth): Couldn't
open /etc/securetty: No such file or directory
Aug 29 08:58:26 s gdm-password][2898]: pam_unix(gdm-password:auth): Couldn't
open /etc/securetty: No such file or directory
shadow dropped securetty in 1:4.7-1 (see
https://bugs.debian.org/731656).
The default PAM configuration should not use nullok_secure.
I think it makes sense to just use "nullok" here, as that's equivalent
to the behavior of nullok_secure when /etc/securetty doesn't exist.
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.2.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libpam-runtime depends on:
ii debconf [debconf-2.0] 1.5.73
ii libpam-modules 1.3.1-5
libpam-runtime recommends no packages.
libpam-runtime suggests no packages.
-- debconf information:
libpam-runtime/conflicts:
libpam-runtime/no_profiles_chosen:
libpam-runtime/override: false
libpam-runtime/title:
libpam-runtime/profiles: unix, systemd, gnome-keyring
