Bug 39247 - pam_securetty barfs if PAM_TTY not set
Summary: pam_securetty barfs if PAM_TTY not set
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: pam   
(Show other bugs)
Version: 6.2
Hardware: i386 Linux
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Aaron Brown
Depends On:
TreeView+ depends on / blocked
Reported: 2001-05-06 05:58 UTC by Andrew Bartlett
Modified: 2007-04-18 16:33 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-05-06 05:58:47 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2001:149 normal SHIPPED_LIVE Updated pam and usermode packages available 2001-11-02 05:00:00 UTC

Description Andrew Bartlett 2001-05-06 05:58:43 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.77 [en] (X11; U; Linux 2.2.19-6.2.1 i686)

Description of problem:
pam_securetty.so, used quite successfully to lock out remote root login
attempts for telnet and freinds cannot be set for applications that don't
set PAM_TTY.  Setting it locks out all users, not just root.

How reproducible:

Steps to Reproduce:
1.  Chose PAM app that does not specify PAM_TTY.
2.  Add pam_securetty.so to apps pam config
3.  Watch ALL logins for this app fail.

Actual Results:  All logins failed, not just root logins.

Expected Results:  Unspecified terminal names should be treated as if they
were unlisted in /etc/securettys, and allowed normal user logins.  Root
should be banned as they terminal (not specified) is not listed in

Additional info:

This results from the fact that the pam_securetty module checks that
PAM_TTY is set BEFORE it checks if the user is root, hence the tty check
fails and all users are locked out.

If these checks were reversed, pam_securetty could be set in
/etc/pam.d/system-auth, allowing the admin to know with confidence that
network root logins are not possible.  Admins wanting samba/OpenSSH root
logins could add 'samba'/'sshd' as the terminal name in those specific
cases, or just reconfigure PAM for that particuar application.  (Samba
2.2.0 and above specify 'samba' as their terminal name, OpenSSH does
likewise if a define is set.).

Comment 1 Nalin Dahyabhai 2001-08-31 01:09:20 UTC
This should be fixed as of pam-0.75-9.  Thanks!

Note You need to log in before you can comment on or make changes to this bug.