Red Hat Bugzilla – Bug 20518
PAM config file for rlogin is buggy
Last modified: 2007-04-18 12:29:44 EDT
The PAM config file for rlogin specifies the rhosts_auth module at the top of the auth stack, with
key "sufficient". This causes other modules further down the auth stack to be ignored when the
rhosts_auth module reports success; in particular the securetty and nologin modules are
skipped in that case. The PAM documentation on the nologin module discusses this issue.
That the securetty module can be circumvented is the largest security issue here, but that nologin
can be ignored is the most clear bug (one could argue that skipping the securetty module is the
desired behavior, although I would dissent).
An improved PAM rlogin config file might look like this:
auth required /lib/security/pam_nologin.so
auth required /lib/security/pam_securetty.so
auth sufficient /lib/security/pam_rhosts_auth.so
auth required /lib/security/pam_pwdb.so shadow nullok
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so nullok use_authtok md5 shadow
session required /lib/security/pam_pwdb.so
The pwdb module must come after the rhosts_auth module for rhosts authentication to work
correctly, but any modules that must be satisfied in every case must come before.
My personal preference, by the way, is to apply the "requisite" control flag to the nologin
module instead of the "required" flag -- the nologin file is displayed in either case, and with
"requisite" the user is spared the rest of the process.
I have some other issues with various PAM configs in the rsh-server and other packages,
which I will report seperately.
Has been fixed for in the current release (RH 7.1).
Read ya, Phil
*** This bug has been marked as a duplicate of 17183 ***