From owner-freebsd-security@FreeBSD.ORG Tue Nov 15 16:55:15 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 930351065674 for ; Tue, 15 Nov 2011 16:55:15 +0000 (UTC) (envelope-from guy.helmer@palisadesystems.com) Received: from ps-2-a.compliancesafe.com (ps-2-a.compliancesafe.com [216.81.161.163]) by mx1.freebsd.org (Postfix) with ESMTP id 4BF218FC08 for ; Tue, 15 Nov 2011 16:55:15 +0000 (UTC) Received: from mail.palisadesystems.com (localhost.compliancesafe.com [127.0.0.1]) by ps-2-a.compliancesafe.com (8.14.4/8.14.3) with ESMTP id pAFGdapI077460 for ; Tue, 15 Nov 2011 10:39:37 -0600 (CST) (envelope-from guy.helmer@palisadesystems.com) Received: from guysmbp.dyn.palisadesys.com (GuysMBP.dyn.palisadesys.com [172.16.2.90]) (authenticated bits=0) by mail.palisadesystems.com (8.14.3/8.14.3) with ESMTP id pAFGdRXv080097 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Tue, 15 Nov 2011 10:39:28 -0600 (CST) (envelope-from guy.helmer@palisadesystems.com) X-DKIM: Sendmail DKIM Filter v2.8.3 mail.palisadesystems.com pAFGdRXv080097 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=palisadesystems.com; s=mail; t=1321375168; bh=juaK1wJgHZ8tgZZ8GuVyLpDV9dCQ0Bvppg/kTRI4nNI=; l=128; h=From:Content-Type:Content-Transfer-Encoding:Subject:Date: Message-Id:To:Mime-Version; b=p75usy0y5PQXsMb+k8uujDe3iAHgw359GKkBNvmkyDCM7yddv4KY6QLxiwTKGRUe3 JPXdA6yQKmmGjxkTJlGgQ2EHpA8YuEkV0lgYQipO9V9ClUxd/YZMDq6PPuV69Aqj1G kptERIO2DfyuHaat03NWsvC1VL1gUDLYCfkhieME= From: Guy Helmer Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Date: Tue, 15 Nov 2011 10:39:31 -0600 Message-Id: <98001F9B-0B96-4D17-9EAE-08B12A1C1C75@palisadesystems.com> To: freebsd-security@freebsd.org Mime-Version: 1.0 (Apple Message framework v1251.1) X-Mailer: Apple Mail (2.1251.1) X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.5 (mail.palisadesystems.com [172.16.1.5]); Tue, 15 Nov 2011 10:39:28 -0600 (CST) X-Palisade-MailScanner-Information: Please contact the ISP for more information X-Palisade-MailScanner-ID: pAFGdRXv080097 X-Palisade-MailScanner: Found to be clean X-Palisade-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=-2.3, required 5, ALL_TRUSTED -1.00, BAYES_00 -1.90, J_CHICKENPOX_56 0.60) X-Palisade-MailScanner-From: guy.helmer@palisadesystems.com X-Spam-Status: No X-PacketSure-Scanned: Yes X-Mailman-Approved-At: Tue, 15 Nov 2011 17:00:59 +0000 Subject: Possible pam_ssh bug? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Nov 2011 16:55:15 -0000 I have a shell user who is able to login to his accounts via sshd on = FreeBSD 8.2 using any password. The user had a .ssh/id_rsa and = .ssh/id_rsa.pub key pair without a password but nullok was not = specified, so I think this should be considered a bug. During diagnosis, /etc/pam.d/sshd was configured for authentication = using:=20 ------------- auth required pam_ssh.so no_warn = try_first_pass ------------- I enabled _openpam_debug in pam_ssh and found this during a login via = sshd to the user's account: ------------- Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_ssh_load_key(): failed to = load key from /home/targetuser/.ssh/identity Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_ssh_load_key(): loaded = '/home/targetuser/.ssh/id_rsa' from /home/targetuser/.ssh/id_rsa Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_ssh_load_key(): failed to = load key from /home/targetuser/.ssh/id_dsa Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_sm_acct_mgmt(): Got user: = targetuser Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_sm_acct_mgmt(): Got user: = targetuser Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_sm_acct_mgmt(): Checking = login.access for user targetuser from host 172.16.1.240 Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_sm_acct_mgmt(): Got user: = targetuser Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_sm_acct_mgmt(): Got = login_cap ------------- The view from the client machine during the login: ------------- client:/usr/src/lib/libpam/modules/pam_ssh (557) ssh = targetuser@fbsd8-i386 SSH passphrase:=20 Last login: Tue Nov 15 08:39:28 2011 from 172.16.2.218 Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights = reserved. FreeBSD 8.2-RC3 (GENERIC) #0: Sat Jan 29 19:26:23 CST 2011 ------------- So, it asked for the target user's passphrase and successfully = authenticated with any password. I understand what happened but I'm = rather astonished by the result - I would not have expected pam_ssh to = have succeeded on a passwordless key file when a password was required = in the pam configuration file, based on the pam_ssh.8 man page: nullok Normally, keys with no passphrase are ignored for = authen- tication purposes. If this option is set, keys = with no passphrase will be taken into consideration, = allowing the user to log in with a blank password. Thoughts? Thanks, Guy Helmer -------- This message has been scanned by ComplianceSafe, powered by Palisade's PacketSure.