Hi Steve, Sorry, I forgot about this email.
On Sun, Aug 24, 2008 at 11:25:20PM -0700, [EMAIL PROTECTED] wrote: > On Sun, Aug 24, 2008 at 03:01:41PM +0200, Nicolas François wrote: > > > On Sat, Aug 23, 2008 at 10:30:59PM -0700, [EMAIL PROTECTED] wrote: > > > I just upgraded one of my sid machines that had a modified > > > /etc/pam.d/login, > > > and was quite surprised to see the conffile prompt from this change, > > > specifically because of the use of pam_faildelay. > > > > Did you consider doing this instead for pam_securetty?: > > > > auth [success=ok user_unknown=ignore default=die] pam_securetty.so > > > I did not added this because in case of an insecure TTY, if root enters > > his name with a typo, she will be prompted for a password. > > (That was my true in my last try: the user is checked before the TTY) > > True, but I'm not convinced this is actually a problem; in order for the > user to shoot themselves in the foot, they must: > > - be running login on an insecure tty (...seriously? who still runs telnet > anymore, unless it's kerberized telnet?) > - mistype the name "root" > - fail to *notice* they've mistyped the name "root", and then proceed to > type the root password. > > Is that really a case that's worth protecting against? Isn't it just as > likely that a user will type in a *correct* username, and then make the > mistake of typing the root password instead of the user password? right. > > Would it be better to call pam_faildelay only in case of a pam_securetty > > failure, and otherwise let pam_unix set the delay? > > All in all, I think that calling pam_faildelay is appropriate because there > are authentication modules one might use in place of pam_unix which do *not* > call pam_fail_delay at all (e.g., pam_krb5 and pam_ldap). I'm just not sure > that /etc/pam.d/login is the right place for it, or if it actually belongs > in /etc/pam.d/common-auth. I'm a bit confused now. Should I upload now a new version with the fixed pam_securetty.so (user_unknown=ignore) and the pam_faildelay.so modules? Cheers, -- Nekral -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
