jayaraj at amritapuri.com
2001-Nov-07 10:01 UTC
Flaw in empty password authentication in sshd
The auth-pam.c of sshd server contains a small flaw that allows empty
password logins even if "PermitEmptyPasswords" option in the sshd
config
file is set to "no". The scenario is as follows:
Using ssh the user tries to logon to the machine using an account that has
empty password. If the user presses enter on the password prompt (NULL
password) access is disallowed. However upon entry of any random string
the user is granted successful login.
In "auth_pam_password" function (auth_pam.c) the lines:
if(*password == '\0' && options.permit_empty_passwd == 0)
return 0;
disallows a login to an empty password account by providing empty
password.
However if the user provides a random non-empty password the user is able
to login to an account that has empty password. This is because the
"pam_authenticate" function which is called from
"do_pam_authenticate" is
always called with "flags" set to "0".
If the system PAM authentication configuration is tightened this can be
disallowed. However, since users rely on the SSH configuration this
non-intuitive and buggy behaviour may be dangerous.
>How-To-Repeat:
The SSHD PAM configuration file must be the one that is shipped as a part
of ssh install. In the source package this file is
"contrib/redhat/sshd.pam-7.x".
Since this file relies on system-auth file, a copy of the system-auth file
in my system (standard Redhat 7.1) is pasted below:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok md5
shadow
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
(Note that this has nullok configuration)
Create an account that requires no password.
Using ssh logon to the machine using the empty password account name.
If the user presses enter on the password prompt (NULL password) access is
disallowed. However upon entry of any random string the user is allowed
to enter.
>Fix:
This problem can be overcome if "pam_authenticate" is called with
"PAM_DISALLOW_NULL_AUTHTOK" flag if empty passwords are not
permitted.
A possible patch for the problem is given below:
*** auth-pam.c Tue Apr 24 00:08:37 2001
--- auth-amrita.c Tue Nov 6 22:58:46 2001
***************
*** 203,208 ****
--- 203,209 ----
{
extern ServerOptions options;
int pam_retval;
+ int flags=0;
do_pam_set_conv(&conv);
***************
*** 217,223 ****
__pampasswd = password;
pamstate = INITIAL_LOGIN;
! pam_retval = do_pam_authenticate(0);
if (pam_retval == PAM_SUCCESS) {
debug("PAM Password authentication accepted for "
"user \"%.100s\"", pw->pw_name);
--- 218,227 ----
__pampasswd = password;
pamstate = INITIAL_LOGIN;
! if ( options.permit_empty_passwd == 0 )
! flag = PAM_DISALLOW_NULL_AUTHTOK;
!
! pam_retval = do_pam_authenticate(flags);
if (pam_retval == PAM_SUCCESS) {
debug("PAM Password authentication accepted for "
"user \"%.100s\"", pw->pw_name);
---------------
Jayaraj
Amrita Institute of Computer Technology, Amritapuri
India
On Wed, 7 Nov 2001 jayaraj at amritapuri.com wrote:
: >Fix:
: This problem can be overcome if "pam_authenticate" is called with
: "PAM_DISALLOW_NULL_AUTHTOK" flag if empty passwords are not
permitted.
:
: A possible patch for the problem is given below:
thanks. i propose the following. can some PAM experts comment on this?
is this the correct way to fix this? i have tested on hp-ux 11.
Index: auth-pam.c
==================================================================RCS file:
/var/cvs/openssh/auth-pam.c,v
retrieving revision 1.40
diff -u -r1.40 auth-pam.c
--- auth-pam.c 2001/10/28 17:32:38 1.40
+++ auth-pam.c 2001/11/09 19:36:41
@@ -217,7 +217,8 @@
__pampasswd = password;
pamstate = INITIAL_LOGIN;
- pam_retval = do_pam_authenticate(0);
+ pam_retval = do_pam_authenticate(
+ options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0);
if (pam_retval == PAM_SUCCESS) {
debug("PAM Password authentication accepted for "
"user \"%.100s\"", pw->pw_name);
>: This problem can be overcome if "pam_authenticate" is called with >: "PAM_DISALLOW_NULL_AUTHTOK" flag if empty passwords are not permitted. >: >: A possible patch for the problem is given below: > >thanks. i propose the following. can some PAM experts comment on this? >is this the correct way to fix this? i have tested on hp-ux 11. > >Index: auth-pam.c >==================================================================>RCS file: /var/cvs/openssh/auth-pam.c,v >retrieving revision 1.40 >diff -u -r1.40 auth-pam.c >--- auth-pam.c 2001/10/28 17:32:38 1.40 >+++ auth-pam.c 2001/11/09 19:36:41 >@@ -217,7 +217,8 @@ > __pampasswd = password; > > pamstate = INITIAL_LOGIN; >- pam_retval = do_pam_authenticate(0); >+ pam_retval = do_pam_authenticate( >+ options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0); > if (pam_retval == PAM_SUCCESS) { > debug("PAM Password authentication accepted for " > "user \"%.100s\"", pw->pw_name);That is the correct thing to do. -- Darren J Moffat