diff options
author | Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com> | 2019-08-30 14:47:03 +0300 |
---|---|---|
committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2019-09-13 13:15:16 +0300 |
commit | 4bfffde7b5edeee761d32b174386bd1e1e28fab9 (patch) | |
tree | c2a76ef80e3e2a87e7b0088f47434af8e4385d54 | |
parent | bca48eae0c40afa729922263645ead4447493193 (diff) | |
download | openbmc-4bfffde7b5edeee761d32b174386bd1e1e28fab9.tar.xz |
pam: Fix not querying password for invalid user
Not querying password for invalid user name is security
issue and can be used to determine valid / invalid user names
in the system. Always proceed to password acceptance screen
for invalid user login attempt too. This commit configures
pam_tally2 to ignore unknown user and proceed to do password
check.
Tested:
Verified the same in bmc serial console login with invalid user
name and password was requested, before displaying login incorrect.
Note: dropbear handles this already and hence ssh will not exhibit
this behavior.
(From meta-phosphor rev: 356ec08b989c84d1d034c3ff283a6909658d9435)
Change-Id: I72483d26ad7b7c39068ac33b7387adf2b10a1a27
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
-rw-r--r-- | meta-phosphor/recipes-extended/pam/libpam/pam.d/common-auth | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-auth b/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-auth index 7bebd9a6a..58ed74f19 100644 --- a/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-auth +++ b/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-auth @@ -8,7 +8,7 @@ # traditional Unix authentication mechanisms. # here are the per-package modules (the "Primary" block) -auth [success=ok default=2] pam_tally2.so deny=0 unlock_time=0 +auth [success=ok user_unknown=ignore default=2] pam_tally2.so deny=0 unlock_time=0 # Try for local user first, and then try for ldap auth [success=2 default=ignore] pam_unix.so nullok_secure -auth [success=1 default=ignore] pam_ldap.so ignore_unknown_user ignore_authinfo_unavail |