bugzilla-daemon at bugzilla.mindrot.org
2009-Dec-03 15:23 UTC
[Bug 1681] New: conversation function for passwd auth method assumes instead of fail
https://bugzilla.mindrot.org/show_bug.cgi?id=1681 Summary: conversation function for passwd auth method assumes instead of fail Product: Portable OpenSSH Version: 5.3p1 Platform: All OS/Version: All Status: NEW Severity: major Priority: P2 Component: PAM support AssignedTo: unassigned-bugs at mindrot.org ReportedBy: zdenek.kotala at sun.com PAM documentation says (http://docs.sun.com/app/docs/doc/816-4863/emrbk?l=en&a=view): ---- Developers should make no assumptions about how PAM is to communicate with users. Rather, the application should exchange messages with the user until the operation is complete. Applications should display the message strings for the conversation function without interpretation or modification. An individual message can contain multiple lines, control characters, or extra blank spaces. Note that service modules are responsible for localizing any strings sent to the conversation function. ---- But sshpam_passwd_conv() "Assumes that echo-off prompts are for the password" and pass password as a reply. It could lead that password is exposed to a wrong consumer. Correct solution is to set AUTHTOK before pam_autheticate is called in sshpam_auth_passwd() function. Something like this: pam_set_item(sshpam_handle, PAM_AUTHTOK, password); -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Dec-03 15:43 UTC
[Bug 1681] conversation function for passwd auth method assumes instead of fail
https://bugzilla.mindrot.org/show_bug.cgi?id=1681 --- Comment #1 from Zden?k Kotala <zdenek.kotala at sun.com> 2009-12-04 02:43:35 EST --- I forgot to mentioned, that sshpam_passwd_conv() should return PAM_CONV_ERR in case of PAM_PROMPT_ECHO_OFF message. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Dec-03 15:46 UTC
[Bug 1681] conversation function for passwd auth method assumes instead of fail
https://bugzilla.mindrot.org/show_bug.cgi?id=1681 Tomas Mraz <t8m at centrum.cz> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |t8m at centrum.cz --- Comment #2 from Tomas Mraz <t8m at centrum.cz> 2009-12-04 02:46:28 EST --- Setting PAM_AUTHTOK will not work with Linux-PAM as this item is not accessible by applications. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Dec-03 15:56 UTC
[Bug 1681] conversation function for passwd auth method assumes instead of fail
https://bugzilla.mindrot.org/show_bug.cgi?id=1681 --- Comment #3 from Zden?k Kotala <zdenek.kotala at sun.com> 2009-12-04 02:56:19 EST --- As documentation and draft of XSSO standard says you really cannot read AUTHTOK in application but it is not a problem. Application (in this case ssh) does not need to read it because it could lead to leak a passwd in some cases, but the information is in the PAM session and PAM module can access it. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Dec-03 16:27 UTC
[Bug 1681] conversation function for passwd auth method assumes instead of fail
https://bugzilla.mindrot.org/show_bug.cgi?id=1681 --- Comment #4 from Tomas Mraz <t8m at centrum.cz> 2009-12-04 03:27:12 EST --- Maybe the standard says that however I am just saying what current and all previous Linux-PAM versions did - they do not allow neither to get nor set the PAM_AUTHTOK item from application. Maybe the setting PAM_AUTHTOK item from application should be allowed in the future Linux-PAM versions however I do not think openssh can depend on having the PAM_AUTHTOK available to the application. Also not supporting the current way how the openssh password authentication is implemented with PAM means that current PAM setups might not work anymore - PAM modules for example might require try_first_pass option to consult the PAM_AUTHTOK item at all before calling the conversation function. In fact the "assume that echo-off prompts are for the authtok" worked fine in most of the PAM configurations and in the remaining special cases the sshd should have been configured to use keyboard-interactive authentication instead of password authentication. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Dec-03 16:43 UTC
[Bug 1681] conversation function for passwd auth method assumes instead of fail
https://bugzilla.mindrot.org/show_bug.cgi?id=1681 --- Comment #5 from Zden?k Kotala <zdenek.kotala at sun.com> 2009-12-04 03:43:04 EST --- (In reply to comment #4)> Maybe the standard says that however I am just saying what current and > all previous Linux-PAM versions did - they do not allow neither to get > nor set the PAM_AUTHTOK item from application.Also Linux-Pan documentation says (http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/mwg-expected-by-module-item.html#mwg-pam_set_item): --- PAM_AUTHTOK The authentication token (often a password). This token should be ignored by all module functions besides pam_sm_authenticate(3) and pam_sm_chauthtok(3). In the former function it is used to pass the most recent authentication token from one stacked module to another. In the latter function the token is used for another purpose. It contains the currently active authentication token. --- It is also mentioned in documentation from 2002/05/09. It should work on linux as well. If not PAM modules stack could works together. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Dec-03 17:12 UTC
[Bug 1681] conversation function for passwd auth method assumes instead of fail
https://bugzilla.mindrot.org/show_bug.cgi?id=1681 --- Comment #6 from Tomas Mraz <t8m at centrum.cz> 2009-12-04 04:12:45 EST --- Where do you see in the Linux-PAM documentation that it is available to applications? It just says it is available to modules to pass the token between each other in the stack. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Dec-03 19:28 UTC
[Bug 1681] conversation function for passwd auth method assumes instead of fail
https://bugzilla.mindrot.org/show_bug.cgi?id=1681 --- Comment #7 from Zden?k Kotala <zdenek.kotala at sun.com> 2009-12-04 06:28:35 EST --- I'm sorry I overlooked it. It mentioned that it works only between modules. I checked also Linux PAM code and there is a wrong check. Fix is easy but it will take longtime to spread Linux distribution. :( -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Apr-23 01:59 UTC
[Bug 1681] conversation function for passwd auth method assumes instead of fail
https://bugzilla.mindrot.org/show_bug.cgi?id=1681 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org Status|NEW |RESOLVED Resolution| |WONTFIX --- Comment #8 from Damien Miller <djm at mindrot.org> 2010-04-23 11:59:29 EST --- Yes, this is one of the (many) horrors of PAM. Unfortunately for the reasons discussed we cannot ever really get rid of this (PAM_AUTHTOK is Linux-only). On the other hand, it is quite well understood how PAM must be configured to operate correctly with SSH password authentication. If the thought of this assumption in password auth is too much for you, you can disable PAM or use keyboard-interactive authentication which makes no such assumptions. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Jan-24 01:34 UTC
[Bug 1681] conversation function for passwd auth method assumes instead of fail
https://bugzilla.mindrot.org/show_bug.cgi?id=1681 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #9 from Damien Miller <djm at mindrot.org> 2011-01-24 12:34:03 EST --- Move resolved bugs to CLOSED after 5.7 release -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
Reasonably Related Threads
- [Bug 2000] New: when using ssh with ControlMaster/ControlPersist, one may get zombie processes
- [Bug 1496] New: ssh fails with xmalloc: zero size
- [Bug 1676] New: Add NSS keys support
- [Bug 1671] New: Openssh does not run with the openssl 1.0.0-beta4
- [Bug 1641] New: Add SELinux roles