tech-security: login allows login without password

Subject: login allows login without password
To: None <tech-security@netbsd.org>
From: Jeremy C. Reed <reed@reedmedia.net>
List: tech-security
Date: 05/04/2007 16:55:47

Run "login" (as non-root). Get "login:" prompt. Enter the username of 
the user you originally ran login as. And you will be logged in without 
any password.

Yes, I know it is "secure" for an already authenticated user to switch to 
to same user.

But having a "login:" prompt without real authentication is misleading. It 
should always ask for password even if redundant. For example, if login: 
prompt scrolls user may forget and assume that he is logged out. (It may 
scroll by due to log messages dumped to console maybe.)

For example, no prompt for password:

login: 
login: 
login: 
login: 
login: 
login: 
login: 
login: 
login: 
login: 
login: 
login: 
login: 
login: reed
Copyright (c) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005
    The NetBSD Foundation, Inc.  All rights reserved.
Copyright (c) 1982, 1986, 1989, 1991, 1993
    The Regents of the University of California.  All rights reserved.

NetBSD 3.1 (GENERIC) #0: Tue Oct 31 04:27:07 UTC 2006

Welcome to NetBSD!

$ 


This behaviour is caused by my /etc/pam.d/login:

auth            sufficient      pam_self.so             no_warn


(Note this only works for when not UID 0.)

I don't see this odd behaviour on DragonFly as one example.

diff -u -r1.4 login
--- etc/pam.d/login	27 Feb 2005 03:40:14 -0000	1.4
+++ etc/pam.d/login	4 May 2007 21:53:39 -0000
@@ -4,7 +4,6 @@
 #
 
 # auth
-auth		sufficient	pam_self.so		no_warn
 auth		required	pam_nologin.so		no_warn
 auth		include		system


Or is this really needed? 

  Jeremy C. Reed