Revert pam_securetty to "requisite"

author: bubulle <bubulle@5a98b0ae-9ef6-0310-add3-de5d479b70d7> 2010-03-16 06:59:46 +0000
committer: bubulle <bubulle@5a98b0ae-9ef6-0310-add3-de5d479b70d7> 2010-03-16 06:59:46 +0000
commit: f5e0895b3a8717df16181c305ba60b6b25f072d5 (patch)
tree: 5b059390c94e37d90bfebbfa4f5e2dafe5939c36 /debian/login.pam
parent: da9a0615de8e2cc69a7e928e81fd18e330c161e1 (diff)
download: shadow-f5e0895b3a8717df16181c305ba60b6b25f072d5.tar.gz
1 files changed, 7 insertions, 5 deletions
diff --git a/debian/login.pam b/debian/login.pam
index 65f07d8c..33e48a76 100644
--- a/debian/login.pam
+++ b/debian/login.pam
@@ -14,11 +14,13 @@ auth       optional   pam_faildelay.so  delay=3000000
 
 # Disallows root logins except on tty's listed in /etc/securetty
 # (Replaces the `CONSOLE' setting from login.defs)
-# Note that it is included as a "required" module. root will be
-# prompted for a password on insecure ttys.
-# If you change it to a "requisite" module, make sure this does not leak
-# user name information.
-auth       required  pam_securetty.so
+# Note that it is included as a "requisite" module. No password prompts will
+# be displayed if this module fails to avoid having the root password
+# transmitted on unsecure ttys.
+# You can change it to a "required" module if you think it permits to
+# guess valid user names of your system (invalid user names are considered
+# as possibly being root).
+auth       requisite  pam_securetty.so
 
 # Disallows other than root logins when /etc/nologin exists
 # (Replaces the `NOLOGINS_FILE' option from login.defs)
author	bubulle <bubulle@5a98b0ae-9ef6-0310-add3-de5d479b70d7>	2010-03-16 06:59:46 +0000
committer	bubulle <bubulle@5a98b0ae-9ef6-0310-add3-de5d479b70d7>	2010-03-16 06:59:46 +0000
commit	f5e0895b3a8717df16181c305ba60b6b25f072d5 (patch)
tree	5b059390c94e37d90bfebbfa4f5e2dafe5939c36 /debian/login.pam
parent	da9a0615de8e2cc69a7e928e81fd18e330c161e1 (diff)
download	shadow-f5e0895b3a8717df16181c305ba60b6b25f072d5.tar.gz