CVE-1999-1346 in Linux
Summary
by MITRE
PAM configuration file for rlogin in Red Hat Linux 6.1 and earlier includes a less restrictive rule before a more restrictive one, which allows users to access the host via rlogin even if rlogin has been explicitly disabled using the /etc/nologin file.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/19/2026
The vulnerability described in CVE-1999-1346 represents a critical configuration flaw in the pluggable authentication modules pam system within Red Hat Linux 6.1 and earlier versions. This issue stems from the improper ordering of authentication rules in the PAM configuration file specifically designed for the rlogin service. The fundamental problem occurs when the system processes authentication requests through the rlogin service, where a less restrictive authentication rule is positioned before a more restrictive one that should enforce access controls. This misconfiguration creates a logical flaw in the authentication chain that directly contradicts the intended security policy of disabling rlogin access through the standard /etc/nologin mechanism.
The technical implementation of this vulnerability involves the PAM configuration file that governs how authentication requests are processed for rlogin services. When a user attempts to establish an rlogin session, the PAM system evaluates authentication rules in sequential order from top to bottom. In affected systems, the configuration places a rule that permits rlogin access before evaluating the rule that should deny access based on the presence of the /etc/nologin file. This ordering issue creates a scenario where even when system administrators explicitly disable rlogin access by creating the /etc/nologin file, users can still bypass this restriction and establish rlogin sessions. The vulnerability essentially allows privilege escalation and unauthorized access to systems that should be protected by the standard nologin mechanism.
The operational impact of this vulnerability extends beyond simple unauthorized access, creating significant security risks for system administrators who rely on the /etc/nologin file as a legitimate method to temporarily disable login access. When this vulnerability is exploited, it undermines the fundamental security principle of access control enforcement, allowing malicious users or compromised accounts to bypass the intended restrictions even during system maintenance windows or emergency situations where administrators would expect login access to be completely disabled. This flaw particularly affects systems where administrators depend on the /etc/nologin mechanism for security management, as it renders this protection mechanism ineffective against rlogin access attempts.
The vulnerability can be classified under CWE-693 as a protection mechanism failure, specifically involving inadequate authentication control implementation. From an operational security perspective, this issue aligns with ATT&CK technique T1078 which covers valid accounts and legitimate credentials for lateral movement. The improper PAM configuration creates a backdoor access method that bypasses standard authentication controls, making it particularly dangerous for environments where strict access controls are required. Organizations using affected Red Hat Linux versions face significant risk as this vulnerability allows attackers to circumvent access restrictions that should be enforced through the standard nologin mechanism, potentially leading to unauthorized system access, data compromise, and disruption of system security policies. The remediation involves correcting the PAM configuration file to ensure that more restrictive rules are evaluated before less restrictive ones, properly ordering the authentication modules to enforce the intended access control policies.
This vulnerability demonstrates the critical importance of proper configuration management and the potential for seemingly minor configuration errors to create significant security weaknesses. The flaw represents a failure in the principle of least privilege and access control enforcement, where the intended security policy of disabling rlogin access becomes ineffective due to incorrect rule ordering. System administrators must ensure that authentication rule ordering follows security best practices, with restrictive rules positioned before permissive ones to maintain the integrity of access control mechanisms. The vulnerability also highlights the need for regular security audits of authentication configurations and the importance of understanding how PAM modules interact with each other in security policy enforcement.