tech-security: Re: login allows login without password

Subject: Re: login allows login without password
To: None <tech-security@NetBSD.org>
From: John Nemeth <jnemeth@victoria.tc.ca>
List: tech-security
Date: 05/05/2007 02:53:55

On Aug 20,  5:03am, "Jeremy C. Reed" wrote:
} 
} Run "login" (as non-root). Get "login:" prompt. Enter the username of 
} the user you originally ran login as. And you will be logged in without 
} any password.
} 
} Yes, I know it is "secure" for an already authenticated user to switch to 
} to same user.
} 
} But having a "login:" prompt without real authentication is misleading. It 
} should always ask for password even if redundant. For example, if login: 
} prompt scrolls user may forget and assume that he is logged out. (It may 
} scroll by due to log messages dumped to console maybe.)
} 
} For example, no prompt for password:
} 
} login: 
} login: 
} login: 
} login: 
} login: 
} login: 
} login: 
} login: 
} login: 
} login: 
} login: 
} login: 
} login: 
} login: reed
} Copyright (c) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005
}     The NetBSD Foundation, Inc.  All rights reserved.
} Copyright (c) 1982, 1986, 1989, 1991, 1993
}     The Regents of the University of California.  All rights reserved.
} 
} NetBSD 3.1 (GENERIC) #0: Tue Oct 31 04:27:07 UTC 2006
} 
} Welcome to NetBSD!
} 
} $ 
} 
} 
} This behaviour is caused by my /etc/pam.d/login:
} 
} auth            sufficient      pam_self.so             no_warn
} 
} 
} (Note this only works for when not UID 0.)
} 
} I don't see this odd behaviour on DragonFly as one example.
} 
} diff -u -r1.4 login
} --- etc/pam.d/login	27 Feb 2005 03:40:14 -0000	1.4
} +++ etc/pam.d/login	4 May 2007 21:53:39 -0000
} @@ -4,7 +4,6 @@
}  #
}  
}  # auth
} -auth		sufficient	pam_self.so		no_warn
}  auth		required	pam_nologin.so		no_warn
}  auth		include		system
} 
} 
} Or is this really needed? 

     We got PAM from FreeBSD.  Looking at http://cvsweb,freebsd.org/ ,
I see that they still use pam_self.so.  This is a change in behaviour
from pre-PAM.  Changing it now would be a change in behaviour from the
way it currently works (and the way it works on FreeBSD).  However, it
would be restoring traditional behaviour and you make some good
points.  I'll wait a few days and if nobody yells, I'll make the change
you suggest.

}-- End of excerpt from "Jeremy C. Reed"