rsh and rlogin allow user to login as a different user without password prompt

  • 7007218
  • 16-Nov-2010
  • 27-Apr-2012

Environment


Novell Open Enterprise Server 2 (OES 2) Linux
SUSE Linux

Situation

Non-root users are able to use rlogin and rsh to another server as another user without being prompted for a password.

/etc/pam.d/rlogin

auth    sufficient     pam_securetty.so
auth    sufficient     pam_rhosts_auth.so
auth    include        common-auth
auth    required      pam_mail.so



Resolution

Setting pam_securetty.so to sufficient in the auth section of the rsh or rlogin file allows authentication when the module return is PAM_SUCCESS. 

Since the module is used to allow root logins only if the user is logging in on a "secure" tty, the module will return a PAM_SUCCESS for non-root users.

DO NOT set pam_securetty.so to sufficient unless the desired result is for a non-root user to be able to login as any non-root user without being prompted for a password.

Per the man pages of pam_securetty:

For canonical usage, should be listed as a required authentication method before any sufficient authentication methods.

Default for SLES 10

/etc/pam.d/rlogin

auth     required       pam_securetty.so
auth     required       pam_nologin.so
auth     sufficient     pam_rhosts_auth.so
auth     include        common-auth
auth     required       pam_mail.so
account  include        common-account
password include        common-password
session  include        common-session

Default for SLES 11

auth     requisite      pam_nologin.so
auth     [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad]
 pam_securetty.so
auth     sufficient     pam_rhosts.so
auth     include        common-auth
auth     required       pam_mail.so
account  include        common-account
password include        common-password
session  required       pam_loginuid.so
session  include        common-session