Subject: Re: login too verbose during failed login
To: John Nemeth <>
From: Simon J. Gerraty <>
List: tech-security
Date: 09/27/2005 08:43:46
>     Actually, the telnet example is relevant, since the actual message
>is coming from login.  You would get the same message if you were
>coming in over a serial line or using a virtual terminal that wasn't
>marked 'secure'.  See lib/30923 for details.  Zafer has now appended a
>message that I originally authored which explains the problem in detail
>and contains a patch for it (I also authored the patch).

patch looks reasonable, and yes, login should only ever say "login incorrect"

>     As for logging the exact reason somewhere, this would have to be
>done from the PAM module that denied the login, since it is the only
>thing that knows the reason.  I could write a patch for the PAM module
>easily enough.  However, the problem that concerns me is whether I
>would mess up logging by the application (in this case, most likely
>login) by calling openlog() within a PAM module.  I think we need some
>way that a library can make log entries without messing up logging done
>by applications using the library.

Just call syslog() (ie skip the openlog()), it is unlikely
that any auth related application won't have done openlog before
invoking PAM.  If someone writes such an app - they clearly deserve to
be mistified by any failures that don't get logged.