bugzilla-daemon at mindrot.org
2006-Dec-05 15:51 UTC
[Bug 1269] PAM Callback returns garbage if user unknown or root with disabled login in ssh-config
http://bugzilla.mindrot.org/show_bug.cgi?id=1269 Summary: PAM Callback returns garbage if user unknown or root with disabled login in ssh-config Product: Portable OpenSSH Version: v4.5p1 Platform: Other OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: PAM support AssignedTo: bitbucket at mindrot.org ReportedBy: openbsd at priv.de If the sshd gets no entry for the user trying to login with getpwnamallow, or if it is not allowed to login, pam is still consulted to authenticate. This is done for hiding if the user exists or not, to hide if the password is right and to hide if he is only blocked in config and the password was right (pam would not delay if the password was right). The call of pam requires a callback function via which the pam module is able to tell something. Things like information and errors BUT also to ask for further input. The callback function of sshd for the pam module returns allways the hard coded value \b\n\r\177INCORRECT in the case of using for further input as input from user, if is called in the a case mentioned in first paragraph. This behaviour is implemented to make sure that the timing on trying to login as the root user is handle same if it allowed by "PermitRootLogin" or not. It is NOT the code to make sure he can't login: This is done later (Search for "Internal error: PAM auth succeeded when it should have failed"). The problem is, that this modification of the input of the callback function is also is done if the user is not known by getpwnamallow. In this case if any other information, beside of password, is requested by the pam module it gets the garbage as answer. This could be username, cryptocard answer or anything else. No matter if the prompt is hidden or not. This blocks many possible programming scenarios unnessesary. Second, through this manipulation the sshd makes it in situations discoverable which user exists or not. Also it is not a very good idear to send garbage and special characters to an unknown pam module just if the user do not exist... This is a real security impact! Attack Szenario: The PAM module may react allways comprehensible with this special information. For example echoing the input the user gave in a error message, or telling that there are special character in the input you gave. If a module react like this, it is possible to discover which users ssh can resolv and which not. This is a internal information of ssh the attacker gets, not of pam. Maybe there are further attacks for such cases... I am unable to complete the list of problems, cause I have no overview over pam modules using the callback function. Further problems: If a pam module is doing something with the information provided from the callback function, it is impossible to request data for users not existing for ssh. Furhter it is also unknown what it is doing with the special characters. Maybe it uses just "\b" as an identifier cause of the leading "\b\n". Maybe an attacker sets some password or something else in the system to use this default as an backdoor or something like that. I think this situation is unsatisfying. Solutions: I am going to post two possible fixes by attaching them to this bugzilla. I have not an overview over the OpenSSH portable code in detail, so I think the exactly patch should be proofed by one of your team, and maybe improved. One is simply to pass through informations if the user is unknown, the second only blocks infos if the input was hidden. But the second is wrong in sight of inferface specification: A hidden input must not be a password. Assumedly this bug is caused by neglecting that this callback function is not only used for password. So it think needs realy to be fixed. I hope there will be a fix in near future using the pam interface correctly. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2006-Dec-05 16:09 UTC
[Bug 1269] PAM Callback returns garbage if user unknown or root with disabled login in ssh-config
http://bugzilla.mindrot.org/show_bug.cgi?id=1269 ------- Comment #1 from openbsd at priv.de 2006-12-06 03:08 ------- Created an attachment (id=1217) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1217&action=view) E-Mail conversion about this with Darren Tucker ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2006-Dec-05 16:11 UTC
[Bug 1269] PAM Callback returns garbage if user unknown or root with disabled login in ssh-config
http://bugzilla.mindrot.org/show_bug.cgi?id=1269 ------- Comment #2 from openbsd at priv.de 2006-12-06 03:11 ------- Created an attachment (id=1218) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1218&action=view) Simplest fix, if the user is unknown the input gets still delivered and not changed ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2006-Dec-06 13:31 UTC
[Bug 1269] PAM Callback returns garbage if user unknown or root with disabled login in ssh-config
http://bugzilla.mindrot.org/show_bug.cgi?id=1269 ------- Comment #3 from openbsd at priv.de 2006-12-07 00:31 ------- Created an attachment (id=1219) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1219&action=view) libnss module solving this problem There is a hotfix for this problem, resolved via libnss: Just compile this short libnss module via gcc -c -o passwd.o passwd.c gcc --shared -o passwd.so passwd.o name the output file (here passwd.so) for example "permit" so the libnss filename results in the filename "libnss_permit.so.2". Copy the passwd.so with this filebname to /lib, and add in nsswitch.conf after "compat" the name you did choose (in the example it is here it is "permit"): [...] passwd: compat permit [...] If you now restart your sshd, SSH passes all informations, beside of a deactivated root user, user to pam. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2006-Dec-08 14:41 UTC
[Bug 1269] PAM Callback returns garbage if user unknown or root with disabled login in ssh-config
http://bugzilla.mindrot.org/show_bug.cgi?id=1269 ------- Comment #4 from openbsd at priv.de 2006-12-09 01:41 ------- Bug #1215 is also about this code area and logik, it is surely helpful if someone is concerned with this difficulty. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
Possibly Parallel Threads
- [Bug 432] New: AIX does not log login attempts for unknown users
- Bad Password - #010#012#015#177INCORRECT : ssh -> pam -> libpam_sqlite -> sqlite3
- Puzzled about PAM support in OpenSSH-3.7.1p2
- SSHD with PAM question
- [RFC][PATCH] Detect and handle PAM changing user name