bugzilla-daemon at bugzilla.mindrot.org
2007-Jun-17 19:40 UTC
[Bug 1322] New: pam_end() is not called if authentication fails, which breaks pam-abl
http://bugzilla.mindrot.org/show_bug.cgi?id=1322
Summary: pam_end() is not called if authentication fails, which
breaks pam-abl
Product: Portable OpenSSH
Version: 4.6p1
Platform: Other
URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=405041
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: PAM support
AssignedTo: bitbucket at mindrot.org
ReportedBy: kreiger at linuxgods.com
Pam-abl (http://www.hexten.net/wiki/index.php/Pam_abl) is a PAM module
that automatically blacklists hosts or users after a given number of
failed authentication attempts.
It relies on pam_end() being called by the pam application, and this is
not done by sshd for failed authentication attempts.
This is debian bug 405041, and i have confirmed that applying the patch
found at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=405041 makes
pam-abl work again.
--
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Jun-17 23:57 UTC
[Bug 1322] pam_end() is not called if authentication fails, which breaks pam-abl
http://bugzilla.mindrot.org/show_bug.cgi?id=1322 --- Comment #1 from Darren Tucker <dtucker at zip.com.au> 2007-06-18 09:57:50 --- Created an attachment (id=1307) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1307) Changeset that introduced the change in question. This is the changeset that introduced the change for reference. -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Jun-18 00:07 UTC
[Bug 1322] pam_end() is not called if authentication fails, which breaks pam-abl
http://bugzilla.mindrot.org/show_bug.cgi?id=1322
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #2 from Damien Miller <djm at mindrot.org> 2007-06-18
10:07:54 ---
DO NOT apply the patch in the Debian bug. It will expose your system to
the signal handler vulnerability fixed in openssh-4.4
This is the "difficult to fix" SIGALRM handler. We could make
sshpam_cleanup() fire if do_cleanup was not called in signal context,
but that would just open a different workaround for password guessers:
make max_auth_tries-1 guesses and keep the connection open until it
times out.
--
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Jun-18 00:16 UTC
[Bug 1322] pam_end() is not called if authentication fails, which breaks pam-abl
http://bugzilla.mindrot.org/show_bug.cgi?id=1322 --- Comment #3 from Darren Tucker <dtucker at zip.com.au> 2007-06-18 10:16:43 --- Created an attachment (id=1308) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1308) Patch by Sandro Wefel from Debian bug #405041 Proposed patch from the Debian bug. -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Jun-18 00:17 UTC
[Bug 1322] pam_end() is not called if authentication fails, which breaks pam-abl
http://bugzilla.mindrot.org/show_bug.cgi?id=1322
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
CC| |dtucker at zip.com.au
Blocks| |1289, 1305
--- Comment #4 from Darren Tucker <dtucker at zip.com.au> 2007-06-18
10:17:36 ---
Target next release
--
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Jun-18 00:20 UTC
[Bug 1322] pam_end() is not called if authentication fails, which breaks pam-abl
http://bugzilla.mindrot.org/show_bug.cgi?id=1322
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #1308|Patch by Sandro Wefel from |Patch by Sandro Wefel from
description|Debian bug #405041 |Debian bug #405041 (don't
| |use as per djm's comments)
Attachment #1308|application/octet-stream |application/text
mime type| |
Attachment #1308 is|0 |1
obsolete| |
--
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Jun-18 00:20 UTC
[Bug 1322] pam_end() is not called if authentication fails, which breaks pam-abl
http://bugzilla.mindrot.org/show_bug.cgi?id=1322
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #1308|Patch by Sandro Wefel from |Patch by Sandro Wefel from
description|Debian bug #405041 (don't |Debian bug #405041
|use as per djm's comments) |
Attachment #1308|application/text |text/plain
mime type| |
Attachment #1308 is|0 |1
patch| |
Attachment #1308 is|1 |0
obsolete| |
Attachment #1308| |ok-
Flag| |
--- Comment #5 from Damien Miller <djm at mindrot.org> 2007-06-18
10:20:43 ---
(From update of attachment 1308)
as per comment #2
--
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Jun-18 00:21 UTC
[Bug 1322] pam_end() is not called if authentication fails, which breaks pam-abl
http://bugzilla.mindrot.org/show_bug.cgi?id=1322
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #1308|Patch by Sandro Wefel from |Patch by Sandro Wefel from
description|Debian bug #405041 |Debian bug #405041 (don't
| |use as per djm's comments)
Attachment #1308 is|0 |1
obsolete| |
--
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Jul-11 14:47 UTC
[Bug 1322] pam_end() is not called if authentication fails, which breaks pam-abl
http://bugzilla.mindrot.org/show_bug.cgi?id=1322 --- Comment #6 from Sandro Wefel <sandro.wefel at informatik.uni-halle.de> 2007-07-12 00:47:03 --- Created an attachment (id=1325) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1325) Patch for do_cleanup with respect to the signal handler vulnerability fixed in openssh-4.4 -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Jul-11 15:17 UTC
[Bug 1322] pam_end() is not called if authentication fails, which breaks pam-abl
http://bugzilla.mindrot.org/show_bug.cgi?id=1322
Sandro Wefel <sandro.wefel at informatik.uni-halle.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |sandro.wefel at informatik.uni-
| |halle.de
--- Comment #7 from Sandro Wefel <sandro.wefel at informatik.uni-halle.de>
2007-07-12 01:17:41 ---
Please have a look at the attached patch (id=1325).
The idea is to call sshpam_cleanup() if authctxt->authenticated is not
set before the KRB5 and GSSAPI blocks. After the pam-call we just
return from the function do_cleanup(). This means that
krb5_cleanup_proc(authctxt) is not called with an invalid parameter but
the sshpam_cleanup() is done which leads to the pam_end call.
IMHO this should avoid the signal handler race condition CVE-2006-5051
in krb5_cleanup_proc but calls pam_end() if the user authentication
fails.
--
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Aug-10 04:09 UTC
[Bug 1322] pam_end() is not called if authentication fails, which breaks pam-abl
http://bugzilla.mindrot.org/show_bug.cgi?id=1322
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #1325|text/x-patch |text/plain
mime type| |
Attachment #1325 is|0 |1
patch| |
--
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Aug-13 13:21 UTC
[Bug 1322] pam_end() is not called if authentication fails, which breaks pam-abl
http://bugzilla.mindrot.org/show_bug.cgi?id=1322
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #1325 is|0 |1
obsolete| |
Attachment #1307 is|0 |1
obsolete| |
--- Comment #8 from Darren Tucker <dtucker at zip.com.au> 2007-08-13
23:21:31 ---
Created an attachment (id=1339)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=1339)
Patch #1325 with dead code removed.
Damien points out that this makes the existing PAM cleanup code
unnecessary.
--
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Aug-13 13:22 UTC
[Bug 1322] pam_end() is not called if authentication fails, which breaks pam-abl
http://bugzilla.mindrot.org/show_bug.cgi?id=1322
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #1339| |ok+
Flag| |
--
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Aug-15 13:29 UTC
[Bug 1322] pam_end() is not called if authentication fails, which breaks pam-abl
http://bugzilla.mindrot.org/show_bug.cgi?id=1322
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |feldt at nhn.ou.edu
--- Comment #9 from Darren Tucker <dtucker at zip.com.au> 2007-08-15
23:29:08 ---
*** Bug 1308 has been marked as a duplicate of this bug. ***
--
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Aug-15 13:48 UTC
[Bug 1322] pam_end() is not called if authentication fails, which breaks pam-abl
http://bugzilla.mindrot.org/show_bug.cgi?id=1322
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #1339 is|0 |1
obsolete| |
Attachment #1339|ok+ |ok-
Flag| |
--- Comment #10 from Darren Tucker <dtucker at zip.com.au> 2007-08-15
23:48:19 ---
(From update of attachment 1339)
Oops, the patch is wrong; it won't clean up after authenticated
connections.
--
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Aug-15 13:51 UTC
[Bug 1322] pam_end() is not called if authentication fails, which breaks pam-abl
http://bugzilla.mindrot.org/show_bug.cgi?id=1322 --- Comment #11 from Darren Tucker <dtucker at zip.com.au> 2007-08-15 23:51:33 --- Created an attachment (id=1342) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1342) Allow PAM cleanup for unathenticated connections based on previous I think this is the simplest patch that does what is required. -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Aug-15 16:22 UTC
[Bug 1322] pam_end() is not called if authentication fails, which breaks pam-abl
http://bugzilla.mindrot.org/show_bug.cgi?id=1322 --- Comment #12 from Sandro Wefel <sandro.wefel at informatik.uni-halle.de> 2007-08-16 02:22:19 --- The last patch works for me like my patch on all tested architectures and machines in combination with pam_abl. Good work. -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Aug-16 03:52 UTC
[Bug 1322] pam_end() is not called if authentication fails, which breaks pam-abl
http://bugzilla.mindrot.org/show_bug.cgi?id=1322
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #1342| |ok+
Flag| |
--- Comment #13 from Damien Miller <djm at mindrot.org> 2007-08-16
13:52:47 ---
(From update of attachment 1342)
ok for 4.7
--
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Aug-16 13:30 UTC
[Bug 1322] pam_end() is not called if authentication fails, which breaks pam-abl
http://bugzilla.mindrot.org/show_bug.cgi?id=1322
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution| |FIXED
--- Comment #14 from Darren Tucker <dtucker at zip.com.au> 2007-08-16
23:29:59 ---
Applied, thanks to all.
--
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2008-Apr-03 22:59 UTC
[Bug 1322] pam_end() is not called if authentication fails, which breaks pam-abl
https://bugzilla.mindrot.org/show_bug.cgi?id=1322
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #15 from Damien Miller <djm at mindrot.org> 2008-04-04
09:59:54 ---
Close resolved bugs after release.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.