freebsd security - Oct 2013 - OpenPAM/SSHD privacy hole (FreeBSD 9.2+ affected)

Hello,

I found that in the new FreeBSD 9.2 (probably in 10 also) updated OpenPAM
sources.
The big embarrassment was in pam_get_authtok.c. The problem is that even without
a
valid SSH login it's possible to know the server's hostname.

az at az:/home/az % ssh 1.2.3.4
Password for az at real.hostname.com:

Changes made by "des":
http://www.openpam.org/changeset/510/openpam/trunk/lib

I really do not think that this behavior must be present! I ask the community to
pay
attention to it and remove these harmful changes.

Kind regards,
Andrei.

23/10/2013 13:56 - Andrei wrote:
> Hello,
> 
> I found that in the new FreeBSD 9.2 (probably in 10 also) updated OpenPAM
sources.
> The big embarrassment was in pam_get_authtok.c. The problem is that even
without a
> valid SSH login it's possible to know the server's hostname.
> 
> az at az:/home/az % ssh 1.2.3.4
> Password for az at real.hostname.com:
> 
> Changes made by "des":
http://www.openpam.org/changeset/510/openpam/trunk/lib
> 
> I really do not think that this behavior must be present! I ask the
community to
> pay
> attention to it and remove these harmful changes.
> 
> Kind regards,
> Andrei.
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at
freebsd.org"
> 

I agree. That looks like an unnecessary privacy violation to me. What do you
think des@?

On Wed, 23 Oct 2013 05:00:13 -0700
David Wolfskill <david at catwhisker.org> wrote:
> 
> Does that also apply if /etc/ssh/sshd_config has been changed to read:
> 
> # Change to no to disable PAM authentication
> ChallengeResponseAuthentication no
> 
> (as I routinely do)?
> 
> Peace,
> david
In this case you lose "keyboard-interactive" login option. But we need
it.

Kind regards,
Andrei.