From 4bfffde7b5edeee761d32b174386bd1e1e28fab9 Mon Sep 17 00:00:00 2001 From: Richard Marian Thomaiyar Date: Fri, 30 Aug 2019 17:17:03 +0530 Subject: pam: Fix not querying password for invalid user Not querying password for invalid user name is security issue and can be used to determine valid / invalid user names in the system. Always proceed to password acceptance screen for invalid user login attempt too. This commit configures pam_tally2 to ignore unknown user and proceed to do password check. Tested: Verified the same in bmc serial console login with invalid user name and password was requested, before displaying login incorrect. Note: dropbear handles this already and hence ssh will not exhibit this behavior. (From meta-phosphor rev: 356ec08b989c84d1d034c3ff283a6909658d9435) Change-Id: I72483d26ad7b7c39068ac33b7387adf2b10a1a27 Signed-off-by: Richard Marian Thomaiyar Signed-off-by: Brad Bishop --- meta-phosphor/recipes-extended/pam/libpam/pam.d/common-auth | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-auth b/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-auth index 7bebd9a6a..58ed74f19 100644 --- a/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-auth +++ b/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-auth @@ -8,7 +8,7 @@ # traditional Unix authentication mechanisms. # here are the per-package modules (the "Primary" block) -auth [success=ok default=2] pam_tally2.so deny=0 unlock_time=0 +auth [success=ok user_unknown=ignore default=2] pam_tally2.so deny=0 unlock_time=0 # Try for local user first, and then try for ldap auth [success=2 default=ignore] pam_unix.so nullok_secure -auth [success=1 default=ignore] pam_ldap.so ignore_unknown_user ignore_authinfo_unavail -- cgit v1.2.3