openssh bugs - Jan 2005 - [Bug 971] keyboard-interactive/pam leaks info about user existence

http://bugzilla.mindrot.org/show_bug.cgi?id=971

           Summary: keyboard-interactive/pam leaks info about user existence
           Product: Portable OpenSSH
           Version: -current
          Platform: All
               URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=281595
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: PAM support
        AssignedTo: openssh-bugs at mindrot.org
        ReportedBy: dtucker at zip.com.au
   Estimated Hours: 0.00


During keyboard-interactive authentication, if the PAM stack inserts a delay on
bad logins, the delay will be present for accounts that exist, and not present
for accounts that do not.

One solution for 3.9p1 is to set "ChallengeResponseAuthentication no"
and
"PasswordAuthentication yes" in sshd_config, since
PasswordAuthentication does
not have this issue.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=971





------- Additional Comments From dtucker at zip.com.au  2005-01-11 18:08 -------
Created an attachment (id=765)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=765&action=view)
Make kbdint code call driver even for non-existent users




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=971





------- Additional Comments From dtucker at zip.com.au  2005-01-11 18:12 -------
Created an attachment (id=766)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=766&action=view)
Feed bogus input to PAM for invalid logins

Note: you will need to apply *both* patches (#765 and #766) to completely fix
the problem.

Patch #766 partially by Colin Watson.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=971

dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
OtherBugsDependingO|                            |914
              nThis|                            |





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=971

dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
OtherBugsDependingO|                            |701
              nThis|                            |





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=971


dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #765 is|0                           |1
           obsolete|                            |




------- Additional Comments From dtucker at zip.com.au  2005-01-19 16:39 -------
Created an attachment (id=771)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=771&action=view)
Make kbdint call driver even for invalid logins

Instead of always continuing, this patch now leaves it up to the individual
drivers and adds a authctxt->valid check to bsdauth to maintain the current
behavior for it.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=971


dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED




------- Additional Comments From dtucker at zip.com.au  2005-01-20 14:29 -------
This is now fixed in -current and the 3.9 branch:

 - (dtucker) [auth-pam.c] Bug #971: Prevent leaking information about user
   existence via keyboard-interactive/pam, in conjunction with previous
   auth2-chall.c change; with Colin Watson and djm.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=971





------- Additional Comments From senthilkumar_sen at hotpop.com  2005-01-20
17:45 -------
Created an attachment (id=775)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=775&action=view)
Patch for Kerberos timing difference for Valid and Invalid user

For PAM-Passwd Authentication with KerberosAuthentication being set to yes,
there exists a time difference for valid user and invalid user. The attached
patch fixes that.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.