diff options
author | nekral-guest <nekral-guest@5a98b0ae-9ef6-0310-add3-de5d479b70d7> | 2009-07-23 20:56:32 +0000 |
---|---|---|
committer | nekral-guest <nekral-guest@5a98b0ae-9ef6-0310-add3-de5d479b70d7> | 2009-07-23 20:56:32 +0000 |
commit | 1a58cb23467508001dc179e2eef2d2a53dd54c77 (patch) | |
tree | 58c0af540a0f46ebbee881cab745e5d760527037 /debian/login.pam | |
parent | 01b11c5f8430ef97851d24547cb30472719c0cbc (diff) | |
download | shadow-1a58cb23467508001dc179e2eef2d2a53dd54c77.tar.gz |
* debian/login.pam: pam_securetty included as a required module instead of
requisite to avoid leak of user name information. Closes: #531341
Diffstat (limited to 'debian/login.pam')
-rw-r--r-- | debian/login.pam | 12 |
1 files changed, 5 insertions, 7 deletions
diff --git a/debian/login.pam b/debian/login.pam index 33e48a76..65f07d8c 100644 --- a/debian/login.pam +++ b/debian/login.pam @@ -14,13 +14,11 @@ auth optional pam_faildelay.so delay=3000000 # Disallows root logins except on tty's listed in /etc/securetty # (Replaces the `CONSOLE' setting from login.defs) -# Note that it is included as a "requisite" module. No password prompts will -# be displayed if this module fails to avoid having the root password -# transmitted on unsecure ttys. -# You can change it to a "required" module if you think it permits to -# guess valid user names of your system (invalid user names are considered -# as possibly being root). -auth requisite pam_securetty.so +# Note that it is included as a "required" module. root will be +# prompted for a password on insecure ttys. +# If you change it to a "requisite" module, make sure this does not leak +# user name information. +auth required pam_securetty.so # Disallows other than root logins when /etc/nologin exists # (Replaces the `NOLOGINS_FILE' option from login.defs) |