Date: Tue, 15 Nov 2011 10:39:31 -0600 From: Guy Helmer <guy.helmer@palisadesystems.com> To: freebsd-security@freebsd.org Subject: Possible pam_ssh bug? Message-ID: <98001F9B-0B96-4D17-9EAE-08B12A1C1C75@palisadesystems.com>
next in thread | raw e-mail | index | archive | help
I have a shell user who is able to login to his accounts via sshd on FreeBSD 8.2 using any password. The user had a .ssh/id_rsa and .ssh/id_rsa.pub key pair without a password but nullok was not specified, so I think this should be considered a bug.
During diagnosis, /etc/pam.d/sshd was configured for authentication using:
-------------
auth required pam_ssh.so no_warn try_first_pass
-------------
I enabled _openpam_debug in pam_ssh and found this during a login via sshd to the user's account:
-------------
Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_ssh_load_key(): failed to load key from /home/targetuser/.ssh/identity
Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_ssh_load_key(): loaded '/home/targetuser/.ssh/id_rsa' from /home/targetuser/.ssh/id_rsa
Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_ssh_load_key(): failed to load key from /home/targetuser/.ssh/id_dsa
Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_sm_acct_mgmt(): Got user: targetuser
Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_sm_acct_mgmt(): Got user: targetuser
Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_sm_acct_mgmt(): Checking login.access for user targetuser from host 172.16.1.240
Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_sm_acct_mgmt(): Got user: targetuser
Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_sm_acct_mgmt(): Got login_cap
-------------
The view from the client machine during the login:
-------------
client:/usr/src/lib/libpam/modules/pam_ssh (557) ssh targetuser@fbsd8-i386
SSH passphrase:
Last login: Tue Nov 15 08:39:28 2011 from 172.16.2.218
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 8.2-RC3 (GENERIC) #0: Sat Jan 29 19:26:23 CST 2011
-------------
So, it asked for the target user's passphrase and successfully authenticated with any password. I understand what happened but I'm rather astonished by the result - I would not have expected pam_ssh to have succeeded on a passwordless key file when a password was required in the pam configuration file, based on the pam_ssh.8 man page:
nullok Normally, keys with no passphrase are ignored for authen-
tication purposes. If this option is set, keys with no
passphrase will be taken into consideration, allowing the
user to log in with a blank password.
Thoughts?
Thanks,
Guy Helmer
--------
This message has been scanned by ComplianceSafe, powered by Palisade's PacketSure.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?98001F9B-0B96-4D17-9EAE-08B12A1C1C75>