Package: libpam-thinkfinger Version: 0.3+rev118.2-4 Severity: normal Hi,
if libpam-thinkfinger is installed, but no fingerprint is stored for root, no password is requested from the user. In detail: Once username root is entered a password prompt is shown, but its impossible to type in a password. Instead a cursor is printed on a new line and indicates pam checking a password which has never been entered. Configuration: p...@lisa / % grep -v '^#' /etc/pam.d/common-auth auth sufficient pam_thinkfinger.so debug auth required pam_unix.so nullok_secure try_first_pass This has two effects: 1) With libpam-thinkfinger installed and configured (but no fingerprint for root) in the usual way its impossible to login as root. 2) People used to get a password prompt (with hidden input) after entering and confirming a username tend to type in the following sequence <username><return><password><return> in a fast way. This way this gets an unwanted information (password) disclosure problem too, for example if people stand behind you and you type your root password this way quickly. Best Regards, Patrick -- System Information: Debian Release: 5.0 APT prefers testing APT policy: (500, 'testing'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libpam-thinkfinger depends on: ii libc6 2.7-18 GNU C Library: Shared libraries ii libpam0g 1.0.1-5 Pluggable Authentication Modules l ii libthinkfinger0 0.3+rev118.2-4 library for the STMicroelectronics Versions of packages libpam-thinkfinger recommends: ii thinkfinger-tools 0.3+rev118.2-4 utilities for the STMicroelectroni ii udev 0.125-7 /dev/ and hotplug management daemo libpam-thinkfinger suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
