Bug 20518 - PAM config file for rlogin is buggy
PAM config file for rlogin is buggy
Status: CLOSED DUPLICATE of bug 17183
Product: Red Hat Linux
Classification: Retired
Component: rsh (Show other bugs)
6.2
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
David Lawrence
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-11-08 09:40 EST by John Bollinger
Modified: 2007-04-18 12:29 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-11-08 09:40:24 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description John Bollinger 2000-11-08 09:40:22 EST
The PAM config file for rlogin specifies the rhosts_auth module at the top of the auth stack, with
key "sufficient".  This causes other modules further down the auth stack to be ignored when the
rhosts_auth module reports success; in particular the securetty and nologin modules are
skipped in that case.  The PAM documentation on the nologin module discusses this issue.
That the securetty module can be circumvented is the largest security issue here, but that nologin
can be ignored is the most clear bug (one could argue that skipping the securetty module is the
desired behavior, although I would dissent).

An improved PAM rlogin config file might look like this:

#%PAM-1.0
auth       required     /lib/security/pam_nologin.so
auth       required     /lib/security/pam_securetty.so
auth       sufficient   /lib/security/pam_rhosts_auth.so
auth       required     /lib/security/pam_pwdb.so shadow nullok
account    required     /lib/security/pam_pwdb.so
password   required     /lib/security/pam_cracklib.so
password   required     /lib/security/pam_pwdb.so nullok use_authtok md5 shadow
session    required     /lib/security/pam_pwdb.so

The pwdb module must come after the rhosts_auth module for rhosts authentication to work
correctly, but any modules that must be satisfied in every case must come before.

My personal preference, by the way, is to apply the "requisite" control flag to the nologin
module instead of the "required" flag -- the nologin file is displayed in either case, and with
"requisite" the user is spared the rest of the process.

I have some other issues with various PAM configs in the rsh-server and other packages,
which I will report seperately.
Comment 1 Phil Knirsch 2001-06-16 11:14:01 EDT
Has been fixed for in the current release (RH 7.1).

Read ya, Phil

*** This bug has been marked as a duplicate of 17183 ***

Note You need to log in before you can comment on or make changes to this bug.