Red Hat Bugzilla – Bug 39247
pam_securetty barfs if PAM_TTY not set
Last modified: 2007-04-18 12:33:05 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.77 [en] (X11; U; Linux 2.2.19-6.2.1 i686)
Description of problem:
pam_securetty.so, used quite successfully to lock out remote root login
attempts for telnet and freinds cannot be set for applications that don't
set PAM_TTY. Setting it locks out all users, not just root.
Steps to Reproduce:
1. Chose PAM app that does not specify PAM_TTY.
2. Add pam_securetty.so to apps pam config
3. Watch ALL logins for this app fail.
Actual Results: All logins failed, not just root logins.
Expected Results: Unspecified terminal names should be treated as if they
were unlisted in /etc/securettys, and allowed normal user logins. Root
should be banned as they terminal (not specified) is not listed in
This results from the fact that the pam_securetty module checks that
PAM_TTY is set BEFORE it checks if the user is root, hence the tty check
fails and all users are locked out.
If these checks were reversed, pam_securetty could be set in
/etc/pam.d/system-auth, allowing the admin to know with confidence that
network root logins are not possible. Admins wanting samba/OpenSSH root
logins could add 'samba'/'sshd' as the terminal name in those specific
cases, or just reconfigure PAM for that particuar application. (Samba
2.2.0 and above specify 'samba' as their terminal name, OpenSSH does
likewise if a define is set.).
This should be fixed as of pam-0.75-9. Thanks!