Bug 39247 - pam_securetty barfs if PAM_TTY not set
pam_securetty barfs if PAM_TTY not set
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: pam (Show other bugs)
6.2
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Aaron Brown
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-05-06 01:58 EDT by Andrew Bartlett
Modified: 2007-04-18 12:33 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-05-06 01:58:47 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Andrew Bartlett 2001-05-06 01:58:43 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.77 [en] (X11; U; Linux 2.2.19-6.2.1 i686)

Description of problem:
pam_securetty.so, used quite successfully to lock out remote root login
attempts for telnet and freinds cannot be set for applications that don't
set PAM_TTY.  Setting it locks out all users, not just root.

How reproducible:
Always

Steps to Reproduce:
1.  Chose PAM app that does not specify PAM_TTY.
2.  Add pam_securetty.so to apps pam config
3.  Watch ALL logins for this app fail.
	

Actual Results:  All logins failed, not just root logins.

Expected Results:  Unspecified terminal names should be treated as if they
were unlisted in /etc/securettys, and allowed normal user logins.  Root
should be banned as they terminal (not specified) is not listed in
/etc/securettys/

Additional info:

This results from the fact that the pam_securetty module checks that
PAM_TTY is set BEFORE it checks if the user is root, hence the tty check
fails and all users are locked out.

If these checks were reversed, pam_securetty could be set in
/etc/pam.d/system-auth, allowing the admin to know with confidence that
network root logins are not possible.  Admins wanting samba/OpenSSH root
logins could add 'samba'/'sshd' as the terminal name in those specific
cases, or just reconfigure PAM for that particuar application.  (Samba
2.2.0 and above specify 'samba' as their terminal name, OpenSSH does
likewise if a define is set.).
Comment 1 Nalin Dahyabhai 2001-08-30 21:09:20 EDT
This should be fixed as of pam-0.75-9.  Thanks!

Note You need to log in before you can comment on or make changes to this bug.