From 1464f01d191ee4e01ed2ec94f4faf8d17ec62b03 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@riseup.net>
Date: Sun, 8 Dec 2019 01:30:42 -0500
Subject: [PATCH] description

---
 debian/control | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/debian/control b/debian/control
index 27767a7..5e2a159 100644
--- a/debian/control
+++ b/debian/control
@@ -173,13 +173,15 @@ Description: enhances misc security settings
  /etc/securetty.security-misc
  .
   * Console Lockdown.
- Allow members of group 'console' to use console. Everyone else except
- members of group 'console-unrestricted' are restricted from using console
- using ancient, unpopular login methods such as using /bin/login over networks,
- which might be exploitable. (CVE-2001-0797) Using pam_access.
+ Allow members of group 'console' to use console and members of group 'ssh'
+ to receive incoming SSH connections. Everyone else except members of group
+ 'console-unrestricted' are restricted from using console using ancient,
+ unpopular login methods such as using /bin/login over networks, which might
+ be exploitable. (CVE-2001-0797) Using pam_access.
  Not enabled by default in this package since this package does not know which
- users shall be added to group 'console' and would break ssh login since files
- in /usr/share/pam-configs/console-lockdown result in modifications of
+ users shall be added to group 'console' and/or 'ssh' and would break console,
+ X Window System and ssh login since files in
+ /usr/share/pam-configs/console-lockdown result in modifications of
  /etc/pam.d/common-account file which not only applies to /etc/pam.d/login but
  also all other services such as /etc/pam.d/ssh.
  /usr/share/pam-configs/console-lockdown