Subject: Re: login too verbose during failed login
To: Martin Husemann <>
From: John Nemeth <>
List: tech-security
Date: 09/19/2005 02:20:14
On Jan 17,  4:00pm, Martin Husemann wrote:
} On Sat, Aug 27, 2005 at 02:20:32PM +0300, Elad Efrat wrote:
} > Why? Is there a reason to provide different messages on login failures?
} No, but there should be a proper error message loged somewhere - so the
} newbie system adminstrator that finds himself logged out off ttyE2 (or
} what have you - IMHO the telnet example is ~irrelevant nowadays) has
} a chance to learn the cause of his problem and fix it.

     Actually, the telnet example is relevant, since the actual message
is coming from login.  You would get the same message if you were
coming in over a serial line or using a virtual terminal that wasn't
marked 'secure'.  See lib/30923 for details.  Zafer has now appended a
message that I originally authored which explains the problem in detail
and contains a patch for it (I also authored the patch).

     As for logging the exact reason somewhere, this would have to be
done from the PAM module that denied the login, since it is the only
thing that knows the reason.  I could write a patch for the PAM module
easily enough.  However, the problem that concerns me is whether I
would mess up logging by the application (in this case, most likely
login) by calling openlog() within a PAM module.  I think we need some
way that a library can make log entries without messing up logging done
by applications using the library.

     Note that there is also lib/31059 for systems that pre-date PAM.
I just appended a patch to that PR to change the behaviour on older

}-- End of excerpt from Martin Husemann