Subject: Re: PRs 30923 and 31059
To: None <email@example.com>
From: Rui Paulo <firstname.lastname@example.org>
Date: 02/08/2006 03:12:49
email@example.com (John Nemeth) writes:
> Back in August of last year PR 30923 -- PAM too verbose and PR
> 31059 -- login too verbose were filed by Zafer Aydogan. These PRs
> basically pertained to login giving different messages when somebody
> attempted to login as root on an insecure terminal depending on whether
> the password they provided was correct. I have patches ready to go for
> both PRs; however, I was asked to post here since there was a
> protracted discussion last year.
> There were two issues. The first was that one person requested a
> flag in login.conf to select between traditional behaviour and always
> giving a "Login incorrect" message. Everybody else said not to bother
> with a flag as it was a security issue and should be fixed as soon as
> possible. Thus, I didn't bother with a flag as I agree that one isn't
> needed. The other issue was that an appropriate message should be
> logged. In the case of PR 31059, login already did so. For PR 30923,
> I have prepared a patch for pam_securetty to do so.
> Here are the tested patches. They are the same as the patches
> that were posted last August with the addition of a patch for
> pam_securetty. Does anybody have any issue with them?
Rui Paulo - firstname.lastname@example.org