Hello Steve, On Wed, Sep 02, 2009 at 01:32:17AM -0700, Steve Langasek wrote: > > > * debian/login.pam: pam_securetty included as a required module instead of > > requisite to avoid leak of user name information. Closes: #531341 > > Please revert this change. The 'requisite' module is necessary to prevent > exposure of the root password over insecure channels - such as telnet, but > also including unencrypted XDMCP connections. root users should never have > the opportunity to type their password when the tty is not secure.
Sorry for the long delay, and thanks to Christian for repinging on this topic. I would prefer to use the following (rather than a requisite): auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so The difference with requisite is the addition of user_unknown=bad The problem with requisite is that it leaks knowledge on the existing usernames (with pam 1.1.0-4, this leak is limited to insecure lines, but this might not be sufficient). The possible user enumeration (which was very visible with pam < 1.1.0-4 since it occurred on any box on the console ttys) was the cause of numerous complaints, so I think this default would be more sensible than a simple "requisite". IMHO, the only issue is that if root mis-type the username, then a password is prompted. But I consider this can be blamed on root for: * mis-typing * not remembering that the line is insecure Do you agree with that choice ? Best Regards, -- Nekral -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
