Date: Sun, 27 Oct 2013 18:58:45 +0100 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> To: Carlo Strub <cs@FreeBSD.org> Cc: freebsd-security@freebsd.org, az@azsupport.com Subject: Re: OpenPAM/SSHD privacy hole (FreeBSD 9.2+ affected) Message-ID: <86y55emw8a.fsf@nine.des.no> In-Reply-To: <1382529986.729788.498652166.90148.2@c-st.net> (Carlo Strub's message of "Wed, 23 Oct 2013 14:06:26 %2B0200") References: <20131023135408.38752099@azsupport.com> <1382529986.729788.498652166.90148.2@c-st.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Carlo Strub <cs@FreeBSD.org> writes: > Andrei <az@azsupport.com> writes: >> I found that in the new FreeBSD 9.2 (probably in 10 also) updated >> OpenPAM sources. The big embarrassment was in pam_get_authtok.c. The >> problem is that even without a valid SSH login it's possible to know >> the server's hostname. > I agree. That looks like an unnecessary privacy violation to me. What > do you think des@? No. This is intentional, and I will not change it. If you don't like it, you can override the default prompt in your PAM policy; see the pam_get_authtok() man page for details. DES -- Dag-Erling Smørgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86y55emw8a.fsf>