openssh unix dev - Nov 2001 - Flaw in empty password authentication in sshd

The auth-pam.c of sshd server contains a small flaw that allows empty 
password  logins even if "PermitEmptyPasswords" option in the sshd
config
file is set to  "no". The scenario is as follows: 
   Using ssh the user tries to logon to the machine using an account that has 
empty    password. If the user presses enter on the password prompt (NULL 
password)    access is disallowed.  However upon entry of any random string 
the user is    granted successful login. 

   In "auth_pam_password" function (auth_pam.c) the lines: 
   if(*password == '\0' && options.permit_empty_passwd == 0) 
     return 0; 
   disallows a login to an empty password account by providing empty 
password. 

   However if the user provides a random non-empty password the user is able 
to  login to an account that has empty password. This is because the  
"pam_authenticate" function which is called from
"do_pam_authenticate" is
always  called with "flags" set to "0". 

   If the system PAM authentication configuration is tightened this can be 
   disallowed.  However, since users rely on the SSH configuration this 
   non-intuitive and buggy behaviour may be dangerous. 

   >How-To-Repeat: 

   The SSHD PAM configuration file must be the one that is shipped as a part 
of ssh   install.  In the source package this file is 
"contrib/redhat/sshd.pam-7.x". 

   Since this file relies on system-auth file, a copy of the system-auth file 
in my  system (standard Redhat 7.1) is pasted below: 

   #%PAM-1.0 
   # This file is auto-generated. 
   # User changes will be destroyed the next time authconfig is run. 
   auth        required      /lib/security/pam_env.so 
   auth        sufficient    /lib/security/pam_unix.so likeauth nullok 
   auth        required      /lib/security/pam_deny.so 
   account     required      /lib/security/pam_unix.so 
   password    required      /lib/security/pam_cracklib.so retry=3 
   password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 
shadow 
   password    required      /lib/security/pam_deny.so 
   session     required      /lib/security/pam_limits.so 
   session     required      /lib/security/pam_unix.so 

   (Note that this has nullok configuration) 

   Create an account that requires no password. 

   Using ssh logon to the machine using the empty password account name. 

   If the user presses enter on the password prompt (NULL password) access is 
   disallowed.  However upon entry of any random string the user is allowed 
to  enter. 

   >Fix: 
   This problem can be overcome if "pam_authenticate" is called with 
   "PAM_DISALLOW_NULL_AUTHTOK" flag if empty passwords are not
permitted.

   A possible patch for the problem is given below: 

   *** auth-pam.c Tue Apr 24 00:08:37 2001 
   --- auth-amrita.c Tue Nov  6 22:58:46 2001 
   *************** 
   *** 203,208 **** 
   --- 203,209 ---- 
     { 
      extern ServerOptions options; 
      int pam_retval; 
   +         int flags=0; 

      do_pam_set_conv(&conv); 

   *************** 
   *** 217,223 **** 
      __pampasswd = password; 

      pamstate = INITIAL_LOGIN; 
   ! pam_retval = do_pam_authenticate(0); 
      if (pam_retval == PAM_SUCCESS) { 
      debug("PAM Password authentication accepted for " 
          "user \"%.100s\"", pw->pw_name); 
   --- 218,227 ---- 
      __pampasswd = password; 

      pamstate = INITIAL_LOGIN; 
   !         if ( options.permit_empty_passwd == 0 ) 
   !            flag = PAM_DISALLOW_NULL_AUTHTOK; 
   ! 
   ! pam_retval = do_pam_authenticate(flags); 
      if (pam_retval == PAM_SUCCESS) { 
      debug("PAM Password authentication accepted for " 
          "user \"%.100s\"", pw->pw_name); 

---------------
Jayaraj
Amrita Institute of Computer Technology, Amritapuri
India

On Wed, 7 Nov 2001 jayaraj at amritapuri.com wrote:
:   >Fix:
:   This problem can be overcome if "pam_authenticate" is called with
:   "PAM_DISALLOW_NULL_AUTHTOK" flag if empty passwords are not
permitted.
:
:   A possible patch for the problem is given below:

thanks.  i propose the following.  can some PAM experts comment on this?
is this the correct way to fix this?  i have tested on hp-ux 11.

Index: auth-pam.c
==================================================================RCS file:
/var/cvs/openssh/auth-pam.c,v
retrieving revision 1.40
diff -u -r1.40 auth-pam.c
--- auth-pam.c	2001/10/28 17:32:38	1.40
+++ auth-pam.c	2001/11/09 19:36:41
@@ -217,7 +217,8 @@
 	__pampasswd = password;

 	pamstate = INITIAL_LOGIN;
-	pam_retval = do_pam_authenticate(0);
+	pam_retval = do_pam_authenticate(
+	    options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0);
 	if (pam_retval == PAM_SUCCESS) {
 		debug("PAM Password authentication accepted for "
 		    "user \"%.100s\"", pw->pw_name);

>:   This problem can be overcome if "pam_authenticate" is called
with
>:   "PAM_DISALLOW_NULL_AUTHTOK" flag if empty passwords are not
permitted.
>:
>:   A possible patch for the problem is given below:
>
>thanks.  i propose the following.  can some PAM experts comment on this?
>is this the correct way to fix this?  i have tested on hp-ux 11.
>
>Index: auth-pam.c
>==================================================================>RCS
file: /var/cvs/openssh/auth-pam.c,v
>retrieving revision 1.40
>diff -u -r1.40 auth-pam.c
>--- auth-pam.c	2001/10/28 17:32:38	1.40
>+++ auth-pam.c	2001/11/09 19:36:41
>@@ -217,7 +217,8 @@
> 	__pampasswd = password;
>
> 	pamstate = INITIAL_LOGIN;
>-	pam_retval = do_pam_authenticate(0);
>+	pam_retval = do_pam_authenticate(
>+	    options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0);
> 	if (pam_retval == PAM_SUCCESS) {
> 		debug("PAM Password authentication accepted for "
> 		    "user \"%.100s\"", pw->pw_name);
That is the correct thing to do.

--
Darren J Moffat