http://bugzilla.mindrot.org/show_bug.cgi?id=117 ------- Additional Comments From fcusack at fcusack.com 2002-04-16 23:27 ------- sshd should definitely not be using 'NOUSER'. The correct thing is to use the username, regardless of whether (pw) exists. I can't understand why you would substitute the value 'NOUSER'. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=117
djm at mindrot.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
------- Additional Comments From djm at mindrot.org 2002-04-17 11:07 -------
You do see the username, auth2.c line 193-197:
log("input_userauth_request: illegal user %s", user);
#ifdef USE_PAM
start_pam("NOUSER");
#endif
We fake a username with PAM to mitigate timing attacks.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=117 ------- Additional Comments From fcusack at fcusack.com 2002-04-17 17:54 ------- Yes "YOU" see the username but PAM doesn't. How about a comment in the code about the timing attack you are trying to mitigate? You are eliminating the possibility that sshd might want to authenticate someone without a local account (requesting a non-login service?). Also, I think this is counter-productive with PAM. PAM has it's own ability to do this. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=117 ------- Additional Comments From djm at mindrot.org 2002-04-17 23:39 -------> You are eliminating the possibility that sshd might want to authenticate > someone without a local account (requesting a non-login service?).PAM shouldn't be abused to to be a getpw* replacement. Quoth http://www.opengroup.org/tech/rfc/mirror-rfc/rfc86.0.txt: ] (c) We do not address the source of information obtained from the ] "`getXbyY()'" family of calls (e.g., `getpwnam()'). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=117 ------- Additional Comments From abartlet at samba.org 2002-04-18 00:37 ------- While there are varying ideas on the interesting ways OpenSSH could be modified for usage without login accounts (and I see some real usful ideas here actually) this isn't the main issue. OpenSSH should always forward the correct username to PAM. Forwarding the incorrect username achives nothing - and prevents PAM from logging 'attempted login for user _____' in a consistant way across all system deamons. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=117 ------- Additional Comments From fcusack at fcusack.com 2002-05-09 13:38 ------- Forwarding a fake username also means there is an undocumented username that has side effects caused by sshd; although all caps probably makes this a non-concern, to me it still smacks of special names like COM. This will be my last comment on the matter: - You are not doing anything by using 'NOUSER', at least nothing I can figure out. If this is to prevent some kind of attack, please add comments in the code. - You *are* causing problems. eg, my sshd w/ PAM uses a RADIUS backend. On my RADIUS server I get logs for 'NOUSER' failing. I would like to know what the attempted username was, and I would like to get this from a central source (the RADIUS server). I will admit, on the level of "problems" this is minor if 'NOUSER' actually prevents some attack. - The protocol 1 code path does not call PAM at all for invalid users. This would be acceptable for the protocol 2 code path, and better than using 'NOUSER', but eliminate the possibility of non-login services. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.