Bug 39247

From Bugzilla Helper:
User-Agent: Mozilla/4.77 [en] (X11; U; Linux 2.2.19-6.2.1 i686)

Description of problem:
pam_securetty.so, used quite successfully to lock out remote root login
attempts for telnet and freinds cannot be set for applications that don't
set PAM_TTY.  Setting it locks out all users, not just root.

How reproducible:
Always

Steps to Reproduce:
1.  Chose PAM app that does not specify PAM_TTY.
2.  Add pam_securetty.so to apps pam config
3.  Watch ALL logins for this app fail.
	

Actual Results:  All logins failed, not just root logins.

Expected Results:  Unspecified terminal names should be treated as if they
were unlisted in /etc/securettys, and allowed normal user logins.  Root
should be banned as they terminal (not specified) is not listed in
/etc/securettys/

Additional info:

This results from the fact that the pam_securetty module checks that
PAM_TTY is set BEFORE it checks if the user is root, hence the tty check
fails and all users are locked out.

If these checks were reversed, pam_securetty could be set in
/etc/pam.d/system-auth, allowing the admin to know with confidence that
network root logins are not possible.  Admins wanting samba/OpenSSH root
logins could add 'samba'/'sshd' as the terminal name in those specific
cases, or just reconfigure PAM for that particuar application.  (Samba
2.2.0 and above specify 'samba' as their terminal name, OpenSSH does
likewise if a define is set.).