Subject: login allows login without password
To: None <tech-security@netbsd.org>
From: Jeremy C. Reed <reed@reedmedia.net>
List: tech-security
Date: 05/04/2007 16:55:47
Run "login" (as non-root). Get "login:" prompt. Enter the username of
the user you originally ran login as. And you will be logged in without
any password.
Yes, I know it is "secure" for an already authenticated user to switch to
to same user.
But having a "login:" prompt without real authentication is misleading. It
should always ask for password even if redundant. For example, if login:
prompt scrolls user may forget and assume that he is logged out. (It may
scroll by due to log messages dumped to console maybe.)
For example, no prompt for password:
login:
login:
login:
login:
login:
login:
login:
login:
login:
login:
login:
login:
login:
login: reed
Copyright (c) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005
The NetBSD Foundation, Inc. All rights reserved.
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California. All rights reserved.
NetBSD 3.1 (GENERIC) #0: Tue Oct 31 04:27:07 UTC 2006
Welcome to NetBSD!
$
This behaviour is caused by my /etc/pam.d/login:
auth sufficient pam_self.so no_warn
(Note this only works for when not UID 0.)
I don't see this odd behaviour on DragonFly as one example.
diff -u -r1.4 login
--- etc/pam.d/login 27 Feb 2005 03:40:14 -0000 1.4
+++ etc/pam.d/login 4 May 2007 21:53:39 -0000
@@ -4,7 +4,6 @@
#
# auth
-auth sufficient pam_self.so no_warn
auth required pam_nologin.so no_warn
auth include system
Or is this really needed?
Jeremy C. Reed