*** This bug is a security vulnerability *** Public security bug reported:
The current pam profiles mostly seem to say: auth [success=$skipnum default=ignore] This means that pam will happily try to validate your password against all the modules there are; in fact, it ignores wrong passwords, it ignores errors, acct_expired, maxtries, perm_denied and what not, in any of the modules. Given enough pam modules, your chances of being able to authorize could converge to 1 ;-) This is the wrong way around. A user should be locked out if she is locked out in any of the authentication databases; she should be denied access if she guesses the wrong password in one of these databases. There is a debian bug http://bugs.debian.org/cgi- bin/bugreport.cgi?bug=583492 that hints in this direction (in fact, it suggests a seemingly more appropriate [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad]), but this bug is not flagged as a security issue. ** Affects: pam (Ubuntu) Importance: Undecided Status: New ** Visibility changed to: Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/711770 Title: current pam setup ignores everything (for example: bad passwords, configuration problems) -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
