Subject: Re: login too verbose during failed login
To: Simon J. Gerraty <sjg@crufty.net>
From: John Nemeth <jnemeth@victoria.tc.ca>
List: tech-security
Date: 09/27/2005 12:49:40
On Jan 12, 8:51pm, Simon J. Gerraty wrote:
}
} > Actually, the telnet example is relevant, since the actual message
} >is coming from login. You would get the same message if you were
} >coming in over a serial line or using a virtual terminal that wasn't
} >marked 'secure'. See lib/30923 for details. Zafer has now appended a
} >message that I originally authored which explains the problem in detail
} >and contains a patch for it (I also authored the patch).
}
} patch looks reasonable, and yes, login should only ever say "login incorrect"
Can you commit it and request a pullup to netbsd-3 so that we can
move on, please? There is also lib/31059. Same problem, but for
systems that don't use PAM. For some reason, my patch hasn't shown up
in the PR. Here it is (it should be pulled up to netbsd-2 and
netbsd-3):
--- login.c.orig 2005-08-24 13:07:05.000000000 -0700
+++ login.c 2005-08-24 13:08:30.000000000 -0700
@@ -503,9 +503,7 @@
* but with insecure terminal, refuse the login attempt.
*/
if (pwd && !rval && rootlogin && !rootterm(tty)) {
- (void)fprintf(stderr,
- "%s login refused on this terminal.\n",
- pwd->pw_name);
+ (void)printf("Login incorrect\n");
if (hostname)
syslog(LOG_NOTICE,
"LOGIN %s REFUSED FROM %s ON TTY %s",
} > As for logging the exact reason somewhere, this would have to be
} >done from the PAM module that denied the login, since it is the only
} >thing that knows the reason. I could write a patch for the PAM module
} >easily enough. However, the problem that concerns me is whether I
} >would mess up logging by the application (in this case, most likely
} >login) by calling openlog() within a PAM module. I think we need some
} >way that a library can make log entries without messing up logging done
} >by applications using the library.
}
} Just call syslog() (ie skip the openlog()), it is unlikely
} that any auth related application won't have done openlog before
} invoking PAM. If someone writes such an app - they clearly deserve to
} be mistified by any failures that don't get logged.
I was thinking of modifying my patch for login, like so:
--- login_pam.c.orig 2005-09-27 12:44:58.000000000 -0700
+++ login_pam.c 2005-09-27 12:43:18.000000000 -0700
@@ -389,6 +389,15 @@ main(int argc, char *argv[])
PAM_END("pam_chauthtok");
break;
+ case PAM_AUTH_ERR:
+ case PAM_USER_UNKNOWN:
+ case PAM_MAXTRIES:
+ syslog(LOG_ERR, "pam_acct_mgmt: %s (perhaps
+ root login on insecure terminal?)",
+ pam_strerror(pamh, pam_err));
+ auth_passed = 0;
+ break;
+
default:
PAM_END("pam_acct_mgmt");
break;
}-- End of excerpt from Simon J. Gerraty