Bug 20518 - PAM config file for rlogin is buggy
Summary: PAM config file for rlogin is buggy
Status: CLOSED DUPLICATE of bug 17183
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: rsh
Version: 6.2
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: David Lawrence
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2000-11-08 14:40 UTC by John Bollinger
Modified: 2007-04-18 16:29 UTC (History)
0 users

Clone Of:
Last Closed: 2000-11-08 14:40:24 UTC

Attachments (Terms of Use)

Description John Bollinger 2000-11-08 14:40:22 UTC
The PAM config file for rlogin specifies the rhosts_auth module at the top of the auth stack, with
key "sufficient".  This causes other modules further down the auth stack to be ignored when the
rhosts_auth module reports success; in particular the securetty and nologin modules are
skipped in that case.  The PAM documentation on the nologin module discusses this issue.
That the securetty module can be circumvented is the largest security issue here, but that nologin
can be ignored is the most clear bug (one could argue that skipping the securetty module is the
desired behavior, although I would dissent).

An improved PAM rlogin config file might look like this:

auth       required     /lib/security/pam_nologin.so
auth       required     /lib/security/pam_securetty.so
auth       sufficient   /lib/security/pam_rhosts_auth.so
auth       required     /lib/security/pam_pwdb.so shadow nullok
account    required     /lib/security/pam_pwdb.so
password   required     /lib/security/pam_cracklib.so
password   required     /lib/security/pam_pwdb.so nullok use_authtok md5 shadow
session    required     /lib/security/pam_pwdb.so

The pwdb module must come after the rhosts_auth module for rhosts authentication to work
correctly, but any modules that must be satisfied in every case must come before.

My personal preference, by the way, is to apply the "requisite" control flag to the nologin
module instead of the "required" flag -- the nologin file is displayed in either case, and with
"requisite" the user is spared the rest of the process.

I have some other issues with various PAM configs in the rsh-server and other packages,
which I will report seperately.

Comment 1 Phil Knirsch 2001-06-16 15:14:01 UTC
Has been fixed for in the current release (RH 7.1).

Read ya, Phil

*** This bug has been marked as a duplicate of 17183 ***

Note You need to log in before you can comment on or make changes to this bug.