rsh and rlogin allow user to login as a different user without password prompt
This document (7007218) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Server 10
SUSE Linux Enterprise Server 10
Situation
Non-root users are able to use rlogin and rsh to another server as another user without being prompted for a password.
/etc/pam.d/rlogin
auth sufficient pam_securetty.so
auth sufficient pam_rhosts_auth.so
auth include common-auth
auth required pam_mail.so
/etc/pam.d/rlogin
auth sufficient pam_securetty.so
auth sufficient pam_rhosts_auth.so
auth include common-auth
auth required pam_mail.so
Resolution
Setting pam_securetty.so to sufficient in the auth section of the rsh or rlogin file allows authentication when the module return is PAM_SUCCESS.
Since the module is used to allow root logins only if the user is logging in on a "secure" tty, the module will return a PAM_SUCCESS for non-root users.
DO NOT set pam_securetty.so to sufficient unless the desired result is for a non-root user to be able to login as any non-root user without being prompted for a password.
Per the man pages of pam_securetty:
For canonical usage, should be listed as a required authentication method before any sufficient authentication methods.
Default for SLES 10
/etc/pam.d/rlogin
auth required pam_securetty.so
auth required pam_nologin.so
auth sufficient pam_rhosts_auth.so
auth include common-auth
auth required pam_mail.so
account include common-account
password include common-password
session include common-session
Default for SLES 11
auth requisite pam_nologin.so
auth [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad]
pam_securetty.so
auth sufficient pam_rhosts.so
auth include common-auth
auth required pam_mail.so
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
Since the module is used to allow root logins only if the user is logging in on a "secure" tty, the module will return a PAM_SUCCESS for non-root users.
DO NOT set pam_securetty.so to sufficient unless the desired result is for a non-root user to be able to login as any non-root user without being prompted for a password.
Per the man pages of pam_securetty:
For canonical usage, should be listed as a required authentication method before any sufficient authentication methods.
Default for SLES 10
/etc/pam.d/rlogin
auth required pam_securetty.so
auth required pam_nologin.so
auth sufficient pam_rhosts_auth.so
auth include common-auth
auth required pam_mail.so
account include common-account
password include common-password
session include common-session
Default for SLES 11
auth requisite pam_nologin.so
auth [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad]
pam_securetty.so
auth sufficient pam_rhosts.so
auth include common-auth
auth required pam_mail.so
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7007218
- Creation Date: 16-Nov-2010
- Modified Date:28-Sep-2022
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
