It’s implemented.
- security-misc/usr/share/pam-configs/console-lockdown-security-misc at master · Kicksecure/security-misc · GitHub
- security-misc/etc/security/access-security-misc.conf at master · Kicksecure/security-misc · GitHub
- https://github.com/Whonix/security-misc/blob/master/usr/lib/security-misc/pam_tally2-info
Why use accessfile=/etc/security/access-security-misc.conf and not /etc/security/access.conf? To avoid need for config-package-dev displace.
Why invent /usr/share/pam-configs/console-lockdown? Because pam_access is not used by Debian default pam config. No setting in /etc/security/access.conf has any effect without adding it to /etc/pam.d.
But I cannot enable it by default. Why? See description:
Console Lockdown.
Allow members of group ‘console’ to use console. Everyone else except
members of group ‘console-unrestricted’ are restricted from using console
using ancient, unpopular login methods such as using /bin/login over networks,
which might be exploitable. (CVE-2001-0797) Using pam_access.
Not enabled by default in this package since this package does not know which
users shall be added to group ‘console’ and would break ssh login since files
in /usr/share/pam-configs/console-lockdown result in modifications of
/etc/pam.d/common-account file which not only applies to /etc/pam.d/login but
also all other services such as /etc/pam.d/ssh.
One part is easily solvable:
Not enabled by default in this package since this package does not know which
users shall be added to group ‘console’
pam console-lockdown could be enabled in package anon-base-files for Whonix / Kicksecure.
But the following part is not easily solved.
would break ssh login since files
in /usr/share/pam-configs/console-lockdown result in modifications of
/etc/pam.d/common-account file which not only applies to /etc/pam.d/login but
also all other services such as /etc/pam.d/ssh.
The following line
account required pam_access.so accessfile=/etc/security/access-security-misc.conf debug
needs to end up in /etc/pam.d/login only. Not in file /etc/pam.d/common-account. There is no API to modify /etc/pam.d/login with a package.
I am wondering if line account required pam_access.so accessfile=/etc/security/access-security-misc.conf debug could declare “but only for /etc/pam.d/login” or if /etc/security/access-security-misc.conf could declare “don’t break SSH”.
Any idea?
Instead of blocking all except recent (non-ancient) consoles…
+:console:tty1 tty2 tty3 tty4 tty5 tty6 tty7 pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 hvc8 hvc9
could change that to
+:console:ALL
which would not block ancient consoles, would not break SSH but at least prevent users not in group console from attempting any login.