pam_access
Quote https://linux.die.net/man/8/pam_access
By default rules for access management are taken from config file
/etc/security/access.confif you don’t specify another file.
grep -r -i pam_access /etc/pam.d
(commented out by Debian default)
/etc/pam.d/login:# account required pam_access.so
pam_securetty
grep -r -i pam_securetty /etc/pam.d
/etc/pam.d/login:auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
Quote https://linux.die.net/man/8/pam_securetty (bold is mine)
[…] This module has no effect on non-root users and […]
In Restrict root access if I remember right it was discussed that /etc/securetty contains lots of very unpopular, obscure login options and it is better to restrict that for better security hardening. But /etc/securetty is for root only.
Can we use pam_access to restrict non-root users from using obscure login options too? https://linux.die.net/man/5/access.conf says it can be used tl block non-local login. But pam_access would only be used for /etc/pam.d/login anyhow? /etc/pam.d/ssh (“remote login?”) is separate. Therefore /etc/pam.d/login “remote login” could be ancient, unpopular, obscure login options.
There was a /bin/login remote overflow vulnerability in past:
- https://www.giac.org/paper/gcih/293/buffer-overflow-bin-login/103062
- Linux pam_lib_smb < 1.1.6 - '/bin/login' Remote Overflow - Linux remote Exploit
Need to make sure that we don’t break serial console.