current pam setup ignores everything (for example: bad passwords, configuration problems)
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| pam (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Bug Description
The current pam profiles mostly seem to say:
auth [success=$skipnum default=ignore]
This means that pam will happily try to validate your password against all the modules there are; in fact, it ignores wrong passwords, it ignores errors, acct_expired, maxtries, perm_denied and what not, in any of the modules. Given enough pam modules, your chances of being able to authorize could converge to 1 ;-)
This is the wrong way around. A user should be locked out if she is locked out in any of the authentication databases; she should be denied access if she guesses the wrong password in one of these databases.
There is a debian bug http://
| visibility: | private → public |
| Steve Langasek (vorlon) wrote | #1 |
| Changed in pam (Ubuntu): | |
| status: | New → Invalid |
| Valentijn Sessink (valentijn) wrote | #2 |
This is not a security issue. The default PAM stack is *deliberately* organized such that each module is tried in turn and any one succeeding authentication module is treated as a success for the whole stack.
If this is not the site policy you want, then you should use pam-auth-update to change which profiles are enabled. But the setup you describe is *not* the common case and is not what will be shipped by default in Ubuntu.