Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Bugs
[Bug 971] keyboard-interactive/pam leaks info about user existence
bugzilla-daemon at mindrot
Jan 10, 2005, 11:06 PM
Post #1 of 8 (247 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=971

Summary: keyboard-interactive/pam leaks info about user existence
Product: Portable OpenSSH
Version: -current
Platform: All
URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=281595
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: PAM support
AssignedTo: openssh-bugs@mindrot.org
ReportedBy: dtucker@zip.com.au
Estimated Hours: 0.00


During keyboard-interactive authentication, if the PAM stack inserts a delay on
bad logins, the delay will be present for accounts that exist, and not present
for accounts that do not.

One solution for 3.9p1 is to set "ChallengeResponseAuthentication no" and
"PasswordAuthentication yes" in sshd_config, since PasswordAuthentication does
not have this issue.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 971] keyboard-interactive/pam leaks info about user existence [ In reply to ]
bugzilla-daemon at mindrot
Jan 10, 2005, 11:08 PM
Post #2 of 8 (247 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=971





------- Additional Comments From dtucker@zip.com.au 2005-01-11 18:08 -------
Created an attachment (id=765)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=765&action=view)
Make kbdint code call driver even for non-existent users




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 971] keyboard-interactive/pam leaks info about user existence [ In reply to ]
bugzilla-daemon at mindrot
Jan 10, 2005, 11:12 PM
Post #3 of 8 (247 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=971





------- Additional Comments From dtucker@zip.com.au 2005-01-11 18:12 -------
Created an attachment (id=766)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=766&action=view)
Feed bogus input to PAM for invalid logins

Note: you will need to apply *both* patches (#765 and #766) to completely fix
the problem.

Patch #766 partially by Colin Watson.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 971] keyboard-interactive/pam leaks info about user existence [ In reply to ]
bugzilla-daemon at mindrot
Jan 10, 2005, 11:22 PM
Post #4 of 8 (244 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=971

dtucker@zip.com.au changed:

What |Removed |Added
----------------------------------------------------------------------------
OtherBugsDependingO| |914
nThis| |





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 971] keyboard-interactive/pam leaks info about user existence [ In reply to ]
bugzilla-daemon at mindrot
Jan 10, 2005, 11:25 PM
Post #5 of 8 (245 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=971

dtucker@zip.com.au changed:

What |Removed |Added
----------------------------------------------------------------------------
OtherBugsDependingO| |701
nThis| |





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 971] keyboard-interactive/pam leaks info about user existence [ In reply to ]
bugzilla-daemon at mindrot
Jan 18, 2005, 9:39 PM
Post #6 of 8 (243 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=971


dtucker@zip.com.au changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #765 is|0 |1
obsolete| |




------- Additional Comments From dtucker@zip.com.au 2005-01-19 16:39 -------
Created an attachment (id=771)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=771&action=view)
Make kbdint call driver even for invalid logins

Instead of always continuing, this patch now leaves it up to the individual
drivers and adds a authctxt->valid check to bsdauth to maintain the current
behavior for it.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 971] keyboard-interactive/pam leaks info about user existence [ In reply to ]
bugzilla-daemon at mindrot
Jan 19, 2005, 7:29 PM
Post #7 of 8 (242 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=971


dtucker@zip.com.au changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED




------- Additional Comments From dtucker@zip.com.au 2005-01-20 14:29 -------
This is now fixed in -current and the 3.9 branch:

- (dtucker) [auth-pam.c] Bug #971: Prevent leaking information about user
existence via keyboard-interactive/pam, in conjunction with previous
auth2-chall.c change; with Colin Watson and djm.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 971] keyboard-interactive/pam leaks info about user existence [ In reply to ]
bugzilla-daemon at mindrot
Jan 19, 2005, 10:45 PM
Post #8 of 8 (244 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=971





------- Additional Comments From senthilkumar_sen@hotpop.com 2005-01-20 17:45 -------
Created an attachment (id=775)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=775&action=view)
Patch for Kerberos timing difference for Valid and Invalid user

For PAM-Passwd Authentication with KerberosAuthentication being set to yes,
there exists a time difference for valid user and invalid user. The attached
patch fixes that.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal