Subject: Re: login too verbose during failed login
To: Simon J. Gerraty <>
From: John Nemeth <>
List: tech-security
Date: 09/27/2005 12:49:40
On Jan 12,  8:51pm, Simon J. Gerraty wrote:
} >     Actually, the telnet example is relevant, since the actual message
} >is coming from login.  You would get the same message if you were
} >coming in over a serial line or using a virtual terminal that wasn't
} >marked 'secure'.  See lib/30923 for details.  Zafer has now appended a
} >message that I originally authored which explains the problem in detail
} >and contains a patch for it (I also authored the patch).
} patch looks reasonable, and yes, login should only ever say "login incorrect"

     Can you commit it and request a pullup to netbsd-3 so that we can
move on, please?  There is also lib/31059.  Same problem, but for
systems that don't use PAM.  For some reason, my patch hasn't shown up
in the PR.  Here it is (it should be pulled up to netbsd-2 and

--- login.c.orig	2005-08-24 13:07:05.000000000 -0700
+++ login.c	2005-08-24 13:08:30.000000000 -0700
@@ -503,9 +503,7 @@
 		 * but with insecure terminal, refuse the login attempt.
 		if (pwd && !rval && rootlogin && !rootterm(tty)) {
-			(void)fprintf(stderr,
-			    "%s login refused on this terminal.\n",
-			    pwd->pw_name);
+			(void)printf("Login incorrect\n");
 			if (hostname)
 				    "LOGIN %s REFUSED FROM %s ON TTY %s",

} >     As for logging the exact reason somewhere, this would have to be
} >done from the PAM module that denied the login, since it is the only
} >thing that knows the reason.  I could write a patch for the PAM module
} >easily enough.  However, the problem that concerns me is whether I
} >would mess up logging by the application (in this case, most likely
} >login) by calling openlog() within a PAM module.  I think we need some
} >way that a library can make log entries without messing up logging done
} >by applications using the library.
} Just call syslog() (ie skip the openlog()), it is unlikely
} that any auth related application won't have done openlog before
} invoking PAM.  If someone writes such an app - they clearly deserve to
} be mistified by any failures that don't get logged.

     I was thinking of modifying my patch for login, like so:

--- login_pam.c.orig	2005-09-27 12:44:58.000000000 -0700
+++ login_pam.c	2005-09-27 12:43:18.000000000 -0700
@@ -389,6 +389,15 @@ main(int argc, char *argv[])
+			case PAM_AUTH_ERR:
+			case PAM_MAXTRIES:
+				syslog(LOG_ERR, "pam_acct_mgmt: %s (perhaps
+				    root login on insecure terminal?)",
+				    pam_strerror(pamh, pam_err));
+				auth_passed = 0;
+				break;

}-- End of excerpt from Simon J. Gerraty