Bug 20526 - PAM config file for login should make nologin requisite
Summary: PAM config file for login should make nologin requisite
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: util-linux   
(Show other bugs)
Version: 6.2
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Erik Troan
QA Contact: Dale Lovelace
URL:
Whiteboard:
Keywords: FutureFeature
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-11-08 16:07 UTC by John Bollinger
Modified: 2007-04-18 16:29 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-02-09 00:11:12 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description John Bollinger 2000-11-08 16:07:09 UTC 
The PAM config file for login should have the nologin module at the top of the authentication stack with control flag
"requisite."    The contents of the nologin file will be displayed in any case (with the default configs), so moving the
module to the top of the stack in no way increases security exposure.  Putting that module at the top and making it
requisite, however, does reduce the nuisance value of being prompted for a password when access will in any
case assuredly be denied.  It furthermore is a minor security gain in the case of a network login (e.g. telnet) because
no password will ever be sent across the network in the case that, because of the nologin module, there is no chance
that access will be granted.
Comment 1 Erik Troan 2001-02-09 00:11:08 UTC 
This is a small win, and nobody else has asked for it. I think this is really
policy that's site-dependent.
Note You need to log in before you can comment on or make changes to this bug.