Henrique de Moraes Holschuh wrote: > On Mon, 25 Oct 2010, Michael Loftis wrote: >> checks prior to this indicate a soft success. If you remove >> authentication from your system, its expected that any attempt to >> access will pass, barring and specific denial. > > If I remove authentication from my system, I expect it to tell me to get > lost, as that is the _only_ safe failure scenario. Recovery is supposed to > be done through single-user mode and sulogin in that case (if you don't have > a root window already open somewhere, that is).
I felt the same way. I understand that I removed authentication by accidentally commenting out that line, but I thought that would cause authentication to fail. Obviously, authentication is not succeeding, it's just that authentication is not happening at all and you can type anything and get a shell on the remote system (provided you know a user name). In short, that behavior surprised me. I expected an authentication failure, but got a shell instead. Brad > This fail-unsafe behaviour looks like it is a "feature" of the default > config being shipped in /etc/pam.d/common-*. I wonder what is the > justification behind that decision... -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
