pam: Fix not querying password for invalid user
Not querying password for invalid user name is security
issue and can be used to determine valid / invalid user names
in the system. Always proceed to password acceptance screen
for invalid user login attempt too. This commit configures
pam_tally2 to ignore unknown user and proceed to do password
check.
Tested:
Verified the same in bmc serial console login with invalid user
name and password was requested, before displaying login incorrect.
Note: dropbear handles this already and hence ssh will not exhibit
this behavior.
(From meta-phosphor rev: 356ec08b989c84d1d034c3ff283a6909658d9435)
Change-Id: I72483d26ad7b7c39068ac33b7387adf2b10a1a27
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
diff --git a/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-auth b/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-auth
index 7bebd9a..58ed74f 100644
--- a/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-auth
+++ b/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-auth
@@ -8,7 +8,7 @@
# traditional Unix authentication mechanisms.
# here are the per-package modules (the "Primary" block)
-auth [success=ok default=2] pam_tally2.so deny=0 unlock_time=0
+auth [success=ok user_unknown=ignore default=2] pam_tally2.so deny=0 unlock_time=0
# Try for local user first, and then try for ldap
auth [success=2 default=ignore] pam_unix.so nullok_secure
-auth [success=1 default=ignore] pam_ldap.so ignore_unknown_user ignore_authinfo_unavail