Subject: PRs 30923 and 31059
To: None <tech-security@netbsd.org>
From: John Nemeth <jnemeth@victoria.tc.ca>
List: tech-security
Date: 02/07/2006 19:02:16
Back in August of last year PR 30923 -- PAM too verbose and PR
31059 -- login too verbose were filed by Zafer Aydogan. These PRs
basically pertained to login giving different messages when somebody
attempted to login as root on an insecure terminal depending on whether
the password they provided was correct. I have patches ready to go for
both PRs; however, I was asked to post here since there was a
protracted discussion last year.
There were two issues. The first was that one person requested a
flag in login.conf to select between traditional behaviour and always
giving a "Login incorrect" message. Everybody else said not to bother
with a flag as it was a security issue and should be fixed as soon as
possible. Thus, I didn't bother with a flag as I agree that one isn't
needed. The other issue was that an appropriate message should be
logged. In the case of PR 31059, login already did so. For PR 30923,
I have prepared a patch for pam_securetty to do so.
Here are the tested patches. They are the same as the patches
that were posted last August with the addition of a patch for
pam_securetty. Does anybody have any issue with them?
--- login_pam.c.orig 2006-02-07 15:58:06.000000000 -0800
+++ login_pam.c 2006-02-07 18:46:21.000000000 -0800
@@ -380,6 +380,12 @@ main(int argc, char *argv[])
PAM_END("pam_chauthtok");
break;
+ case PAM_AUTH_ERR:
+ case PAM_USER_UNKNOWN:
+ case PAM_MAXTRIES:
+ auth_passed = 0;
+ break;
+
default:
PAM_END("pam_acct_mgmt");
break;
--- login.c.orig 2006-02-07 17:11:30.000000000 -0800
+++ login.c 2006-02-07 17:12:36.000000000 -0800
@@ -503,9 +503,7 @@ main(int argc, char *argv[])
* but with insecure terminal, refuse the login attempt.
*/
if (pwd && !rval && rootlogin && !rootterm(tty)) {
- (void)fprintf(stderr,
- "%s login refused on this terminal.\n",
- pwd->pw_name);
+ (void)printf("Login incorrect\n");
if (hostname)
syslog(LOG_NOTICE,
"LOGIN %s REFUSED FROM %s ON TTY %s",
--- pam_securetty.c.orig 2006-02-07 16:50:00.000000000 -0800
+++ pam_securetty.c 2006-02-07 18:45:27.000000000 -0800
@@ -48,6 +48,7 @@ __RCSID("$NetBSD: pam_securetty.c,v 1.4
#include <pwd.h>
#include <ttyent.h>
#include <string.h>
+#include <syslog.h>
#define PAM_SM_ACCOUNT
@@ -65,6 +66,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh __un
struct ttyent *ty;
const char *user;
const void *tty;
+ const void *hostname;
int pam_err;
char pwbuf[1024];
@@ -98,6 +100,21 @@ pam_sm_acct_mgmt(pam_handle_t *pamh __un
(ty->ty_status & TTY_SECURE) != 0)
return (PAM_SUCCESS);
+ pam_err = pam_get_item(pamh, PAM_RHOST, &hostname);
+ if (pam_err != PAM_SUCCESS)
+ hostname = NULL;
+
+ if (hostname)
+ syslog(LOG_NOTICE,
+ "LOGIN %s REFUSED FROM %s ON TTY %s",
+ pwd->pw_name, (const char *)hostname,
+ (const char *)tty);
+ else
+ syslog(LOG_NOTICE,
+ "LOGIN %s REFUSED ON TTY %s",
+ pwd->pw_name, (const char *)tty);
+
+
PAM_VERBOSE_ERROR("Not on secure TTY");
return (PAM_AUTH_ERR);
}