jayaraj at amritapuri.com
2001-Nov-07 10:01 UTC
Flaw in empty password authentication in sshd
The auth-pam.c of sshd server contains a small flaw that allows empty password logins even if "PermitEmptyPasswords" option in the sshd config file is set to "no". The scenario is as follows: Using ssh the user tries to logon to the machine using an account that has empty password. If the user presses enter on the password prompt (NULL password) access is disallowed. However upon entry of any random string the user is granted successful login. In "auth_pam_password" function (auth_pam.c) the lines: if(*password == '\0' && options.permit_empty_passwd == 0) return 0; disallows a login to an empty password account by providing empty password. However if the user provides a random non-empty password the user is able to login to an account that has empty password. This is because the "pam_authenticate" function which is called from "do_pam_authenticate" is always called with "flags" set to "0". If the system PAM authentication configuration is tightened this can be disallowed. However, since users rely on the SSH configuration this non-intuitive and buggy behaviour may be dangerous. >How-To-Repeat: The SSHD PAM configuration file must be the one that is shipped as a part of ssh install. In the source package this file is "contrib/redhat/sshd.pam-7.x". Since this file relies on system-auth file, a copy of the system-auth file in my system (standard Redhat 7.1) is pasted below: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth required /lib/security/pam_deny.so account required /lib/security/pam_unix.so password required /lib/security/pam_cracklib.so retry=3 password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so (Note that this has nullok configuration) Create an account that requires no password. Using ssh logon to the machine using the empty password account name. If the user presses enter on the password prompt (NULL password) access is disallowed. However upon entry of any random string the user is allowed to enter. >Fix: This problem can be overcome if "pam_authenticate" is called with "PAM_DISALLOW_NULL_AUTHTOK" flag if empty passwords are not permitted. A possible patch for the problem is given below: *** auth-pam.c Tue Apr 24 00:08:37 2001 --- auth-amrita.c Tue Nov 6 22:58:46 2001 *************** *** 203,208 **** --- 203,209 ---- { extern ServerOptions options; int pam_retval; + int flags=0; do_pam_set_conv(&conv); *************** *** 217,223 **** __pampasswd = password; pamstate = INITIAL_LOGIN; ! pam_retval = do_pam_authenticate(0); if (pam_retval == PAM_SUCCESS) { debug("PAM Password authentication accepted for " "user \"%.100s\"", pw->pw_name); --- 218,227 ---- __pampasswd = password; pamstate = INITIAL_LOGIN; ! if ( options.permit_empty_passwd == 0 ) ! flag = PAM_DISALLOW_NULL_AUTHTOK; ! ! pam_retval = do_pam_authenticate(flags); if (pam_retval == PAM_SUCCESS) { debug("PAM Password authentication accepted for " "user \"%.100s\"", pw->pw_name); --------------- Jayaraj Amrita Institute of Computer Technology, Amritapuri India
On Wed, 7 Nov 2001 jayaraj at amritapuri.com wrote: : >Fix: : This problem can be overcome if "pam_authenticate" is called with : "PAM_DISALLOW_NULL_AUTHTOK" flag if empty passwords are not permitted. : : A possible patch for the problem is given below: thanks. i propose the following. can some PAM experts comment on this? is this the correct way to fix this? i have tested on hp-ux 11. Index: auth-pam.c ==================================================================RCS file: /var/cvs/openssh/auth-pam.c,v retrieving revision 1.40 diff -u -r1.40 auth-pam.c --- auth-pam.c 2001/10/28 17:32:38 1.40 +++ auth-pam.c 2001/11/09 19:36:41 @@ -217,7 +217,8 @@ __pampasswd = password; pamstate = INITIAL_LOGIN; - pam_retval = do_pam_authenticate(0); + pam_retval = do_pam_authenticate( + options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0); if (pam_retval == PAM_SUCCESS) { debug("PAM Password authentication accepted for " "user \"%.100s\"", pw->pw_name);
>: This problem can be overcome if "pam_authenticate" is called with >: "PAM_DISALLOW_NULL_AUTHTOK" flag if empty passwords are not permitted. >: >: A possible patch for the problem is given below: > >thanks. i propose the following. can some PAM experts comment on this? >is this the correct way to fix this? i have tested on hp-ux 11. > >Index: auth-pam.c >==================================================================>RCS file: /var/cvs/openssh/auth-pam.c,v >retrieving revision 1.40 >diff -u -r1.40 auth-pam.c >--- auth-pam.c 2001/10/28 17:32:38 1.40 >+++ auth-pam.c 2001/11/09 19:36:41 >@@ -217,7 +217,8 @@ > __pampasswd = password; > > pamstate = INITIAL_LOGIN; >- pam_retval = do_pam_authenticate(0); >+ pam_retval = do_pam_authenticate( >+ options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0); > if (pam_retval == PAM_SUCCESS) { > debug("PAM Password authentication accepted for " > "user \"%.100s\"", pw->pw_name);That is the correct thing to do. -- Darren J Moffat