Hello, I found that in the new FreeBSD 9.2 (probably in 10 also) updated OpenPAM sources. The big embarrassment was in pam_get_authtok.c. The problem is that even without a valid SSH login it's possible to know the server's hostname. az at az:/home/az % ssh 1.2.3.4 Password for az at real.hostname.com: Changes made by "des": openpam.org/changeset/510/openpam/trunk/lib I really do not think that this behavior must be present! I ask the community to pay attention to it and remove these harmful changes. Kind regards, Andrei.
23/10/2013 13:56 - Andrei wrote:> Hello, > > I found that in the new FreeBSD 9.2 (probably in 10 also) updated OpenPAM sources. > The big embarrassment was in pam_get_authtok.c. The problem is that even without a > valid SSH login it's possible to know the server's hostname. > > az at az:/home/az % ssh 1.2.3.4 > Password for az at real.hostname.com: > > Changes made by "des": openpam.org/changeset/510/openpam/trunk/lib > > I really do not think that this behavior must be present! I ask the community to > pay > attention to it and remove these harmful changes. > > Kind regards, > Andrei. > _______________________________________________ > freebsd-security at freebsd.org mailing list > lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org" >I agree. That looks like an unnecessary privacy violation to me. What do you think des@?
On Wed, 23 Oct 2013 05:00:13 -0700 David Wolfskill <david at catwhisker.org> wrote:> > Does that also apply if /etc/ssh/sshd_config has been changed to read: > > # Change to no to disable PAM authentication > ChallengeResponseAuthentication no > > (as I routinely do)? > > Peace, > davidIn this case you lose "keyboard-interactive" login option. But we need it. Kind regards, Andrei.