[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pkg-shadow-devel
Subject:    [Pkg-shadow-devel] Bug#531341: prints "login incorrect" without asking for password when entering an
From:       Steve Langasek <vorlon () debian ! org>
Date:       2009-09-02 8:32:17
Message-ID: 20090902083217.GB24004 () dario ! dodds ! net
[Download RAW message or body]


reopen 531341
severity 531341 grave
thanks

> * debian/login.pam: pam_securetty included as a required module instead of
>     requisite to avoid leak of user name information. Closes: #531341

Please revert this change.  The 'requisite' module is necessary to prevent
exposure of the root password over insecure channels - such as telnet, but
also including unencrypted XDMCP connections.  root users should never have
the opportunity to type their password when the tty is not secure.

--=20
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]