From owner-freebsd-security@FreeBSD.ORG Sun Oct 27 17:58:46 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id BA5EEA78; Sun, 27 Oct 2013 17:58:46 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 7E6A42392; Sun, 27 Oct 2013 17:58:46 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id A04EF67DE; Sun, 27 Oct 2013 17:58:45 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id D5216D7A; Sun, 27 Oct 2013 18:58:45 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Carlo Strub Subject: Re: OpenPAM/SSHD privacy hole (FreeBSD 9.2+ affected) References: <20131023135408.38752099@azsupport.com> <1382529986.729788.498652166.90148.2@c-st.net> Date: Sun, 27 Oct 2013 18:58:45 +0100 In-Reply-To: <1382529986.729788.498652166.90148.2@c-st.net> (Carlo Strub's message of "Wed, 23 Oct 2013 14:06:26 +0200") Message-ID: <86y55emw8a.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, az@azsupport.com X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Oct 2013 17:58:46 -0000 Carlo Strub writes: > Andrei writes: >> I found that in the new FreeBSD 9.2 (probably in 10 also) updated >> OpenPAM sources. The big embarrassment was in pam_get_authtok.c. The >> problem is that even without a valid SSH login it's possible to know >> the server's hostname. > I agree. That looks like an unnecessary privacy violation to me. What > do you think des@? No. This is intentional, and I will not change it. If you don't like it, you can override the default prompt in your PAM policy; see the pam_get_authtok() man page for details. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Sun Oct 27 18:11:14 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id AC27F90; Sun, 27 Oct 2013 18:11:14 +0000 (UTC) (envelope-from prvs=1012be9d42=killing@multiplay.co.uk) Received: from mail1.multiplay.co.uk (mail1.multiplay.co.uk [85.236.96.23]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 256FC24A1; Sun, 27 Oct 2013 18:11:13 +0000 (UTC) Received: from r2d2 ([82.69.179.245]) by mail1.multiplay.co.uk (mail1.multiplay.co.uk [85.236.96.23]) (MDaemon PRO v10.0.4) with ESMTP id md50006519606.msg; Sun, 27 Oct 2013 18:11:11 +0000 X-Spam-Processed: mail1.multiplay.co.uk, Sun, 27 Oct 2013 18:11:11 +0000 (not processed: message from valid local sender) X-MDDKIM-Result: neutral (mail1.multiplay.co.uk) X-MDRemoteIP: 82.69.179.245 X-Return-Path: prvs=1012be9d42=killing@multiplay.co.uk X-Envelope-From: killing@multiplay.co.uk Message-ID: <8D7C4A668063437DBEEA0D513D51B662@multiplay.co.uk> From: "Steven Hartland" To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= , "Carlo Strub" References: <20131023135408.38752099@azsupport.com> <1382529986.729788.498652166.90148.2@c-st.net> <86y55emw8a.fsf@nine.des.no> Subject: Re: OpenPAM/SSHD privacy hole (FreeBSD 9.2+ affected) Date: Sun, 27 Oct 2013 18:11:15 -0000 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="utf-8"; reply-type=original Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.5931 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157 Cc: freebsd-security@freebsd.org, az@azsupport.com X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Oct 2013 18:11:14 -0000 ----- Original Message ----- From: "Dag-Erling Smørgrav" > Carlo Strub writes: >> Andrei writes: >>> I found that in the new FreeBSD 9.2 (probably in 10 also) updated >>> OpenPAM sources. The big embarrassment was in pam_get_authtok.c. The >>> problem is that even without a valid SSH login it's possible to know >>> the server's hostname. >> I agree. That looks like an unnecessary privacy violation to me. What >> do you think des@? > > No. This is intentional, and I will not change it. If you don't like > it, you can override the default prompt in your PAM policy; see the > pam_get_authtok() man page for details. Out of curiosity whats the reasoning behind it doing things? Regards Steve ================================================ This e.mail is private and confidential between Multiplay (UK) Ltd. and the person or entity to whom it is addressed. In the event of misdirection, the recipient is prohibited from using, copying, printing or otherwise disseminating it or any information contained in it. In the event of misdirection, illegible or incomplete transmission please telephone +44 845 868 1337 or return the E.mail to postmaster@multiplay.co.uk. From owner-freebsd-security@FreeBSD.ORG Sun Oct 27 18:24:27 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 5BA295AD; Sun, 27 Oct 2013 18:24:27 +0000 (UTC) (envelope-from prvs=1012be9d42=killing@multiplay.co.uk) Received: from mail1.multiplay.co.uk (mail1.multiplay.co.uk [85.236.96.23]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id C74682535; Sun, 27 Oct 2013 18:24:25 +0000 (UTC) Received: from r2d2 ([82.69.179.245]) by mail1.multiplay.co.uk (mail1.multiplay.co.uk [85.236.96.23]) (MDaemon PRO v10.0.4) with ESMTP id md50006519694.msg; Sun, 27 Oct 2013 18:24:23 +0000 X-Spam-Processed: mail1.multiplay.co.uk, Sun, 27 Oct 2013 18:24:23 +0000 (not processed: message from valid local sender) X-MDDKIM-Result: neutral (mail1.multiplay.co.uk) X-MDRemoteIP: 82.69.179.245 X-Return-Path: prvs=1012be9d42=killing@multiplay.co.uk X-Envelope-From: killing@multiplay.co.uk Message-ID: From: "Steven Hartland" To: "Steven Hartland" , =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= , "Carlo Strub" References: <20131023135408.38752099@azsupport.com> <1382529986.729788.498652166.90148.2@c-st.net> <86y55emw8a.fsf@nine.des.no> <8D7C4A668063437DBEEA0D513D51B662@multiplay.co.uk> Subject: Re: OpenPAM/SSHD privacy hole (FreeBSD 9.2+ affected) Date: Sun, 27 Oct 2013 18:24:28 -0000 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="utf-8"; reply-type=response Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.5931 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157 Cc: freebsd-security@freebsd.org, az@azsupport.com X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Oct 2013 18:24:27 -0000 ----- Original Message ----- From: "Steven Hartland" > ----- Original Message ----- > From: "Dag-Erling Smørgrav" >> Carlo Strub writes: >>> Andrei writes: >>>> I found that in the new FreeBSD 9.2 (probably in 10 also) updated >>>> OpenPAM sources. The big embarrassment was in pam_get_authtok.c. The >>>> problem is that even without a valid SSH login it's possible to know >>>> the server's hostname. >>> I agree. That looks like an unnecessary privacy violation to me. What >>> do you think des@? >> >> No. This is intentional, and I will not change it. If you don't like >> it, you can override the default prompt in your PAM policy; see the >> pam_get_authtok() man page for details. > > Out of curiosity whats the reasoning behind it doing things? That was meant to say doing "this" not things? Regards Steve ================================================ This e.mail is private and confidential between Multiplay (UK) Ltd. and the person or entity to whom it is addressed. In the event of misdirection, the recipient is prohibited from using, copying, printing or otherwise disseminating it or any information contained in it. In the event of misdirection, illegible or incomplete transmission please telephone +44 845 868 1337 or return the E.mail to postmaster@multiplay.co.uk. From owner-freebsd-security@FreeBSD.ORG Sun Oct 27 18:58:05 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 96C4E123 for ; Sun, 27 Oct 2013 18:58:05 +0000 (UTC) (envelope-from az@azsupport.com) Received: from as1.azsupport.com (azsupport.com [74.52.186.194]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 781B726A4 for ; Sun, 27 Oct 2013 18:58:04 +0000 (UTC) Received: from localhost (unknown [109.75.144.107]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by as1.azsupport.com (Postfix) with ESMTPSA id BB7143AF; Sun, 27 Oct 2013 19:57:57 +0100 (CET) Date: Sun, 27 Oct 2013 19:57:55 +0100 From: Andrei To: freebsd-security@freebsd.org, des@des.no Subject: Re: OpenPAM/SSHD privacy hole (FreeBSD 9.2+ affected) Message-ID: <20131027195755.00b0cb2c@azsupport.com> In-Reply-To: <86y55emw8a.fsf@nine.des.no> References: <20131023135408.38752099@azsupport.com> <1382529986.729788.498652166.90148.2@c-st.net> <86y55emw8a.fsf@nine.des.no> Organization: azsupport.com X-Mailer: Claws Mail 3.9.2 (GTK+ 2.24.19; amd64-portbld-freebsd10.0) Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Oct 2013 18:58:05 -0000 On Sun, 27 Oct 2013 18:58:45 +0100 Dag-Erling Sm=C3=B8rgrav wrote: > >> I found that in the new FreeBSD 9.2 (probably in 10 also) updated > >> OpenPAM sources. The big embarrassment was in pam_get_authtok.c. > >> The problem is that even without a valid SSH login it's possible > >> to know the server's hostname. > > I agree. That looks like an unnecessary privacy violation to me. > > What do you think des@? >=20 > No. This is intentional, and I will not change it. If you don't like > it, you can override the default prompt in your PAM policy; see the > pam_get_authtok() man page for details. In /etc/pam.d/sshd from: auth required pam_unix.so no_warn try_first_p= ass to: auth required pam_unix.so no_warn try_first_p= ass authtok_prompt Right? Kind regards, Andrei. From owner-freebsd-security@FreeBSD.ORG Sun Oct 27 21:33:58 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 045E3EA4 for ; Sun, 27 Oct 2013 21:33:58 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id B83AF2E2C for ; Sun, 27 Oct 2013 21:33:57 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 977446AD8; Sun, 27 Oct 2013 21:33:56 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id DD575E9F; Sun, 27 Oct 2013 22:33:56 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Andrei Subject: Re: OpenPAM/SSHD privacy hole (FreeBSD 9.2+ affected) References: <20131023135408.38752099@azsupport.com> <1382529986.729788.498652166.90148.2@c-st.net> <86y55emw8a.fsf@nine.des.no> <20131027195755.00b0cb2c@azsupport.com> Date: Sun, 27 Oct 2013 22:33:56 +0100 In-Reply-To: <20131027195755.00b0cb2c@azsupport.com> (Andrei's message of "Sun, 27 Oct 2013 19:57:55 +0100") Message-ID: <86txg2mm9n.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Oct 2013 21:33:58 -0000 Andrei writes: > In /etc/pam.d/sshd from: > auth required pam_unix.so no_warn try_first= _pass > to: > auth required pam_unix.so no_warn try_first_pass authtok_prompt > > Right? auth required pam_unix.so no_warn try_first_pass authtok_prompt=3D"Password= :" BTW, I recently noticed that try_first_pass doesn't work as documented (and hasn't for ten years), but I haven't had time to fix it yet. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Sun Oct 27 21:50:13 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 28311A0E; Sun, 27 Oct 2013 21:50:13 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id DD1C92F49; Sun, 27 Oct 2013 21:50:12 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 03F8F6B0A; Sun, 27 Oct 2013 21:50:12 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 4E41BEB8; Sun, 27 Oct 2013 22:50:12 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: "Steven Hartland" Subject: Re: OpenPAM/SSHD privacy hole (FreeBSD 9.2+ affected) References: <20131023135408.38752099@azsupport.com> <1382529986.729788.498652166.90148.2@c-st.net> <86y55emw8a.fsf@nine.des.no> <8D7C4A668063437DBEEA0D513D51B662@multiplay.co.uk> Date: Sun, 27 Oct 2013 22:50:12 +0100 In-Reply-To: <8D7C4A668063437DBEEA0D513D51B662@multiplay.co.uk> (Steven Hartland's message of "Sun, 27 Oct 2013 18:11:15 -0000") Message-ID: <86ppqqmlij.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, Carlo Strub , az@azsupport.com X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Oct 2013 21:50:13 -0000 "Steven Hartland" writes: > Out of curiosity whats the reasoning behind it doing things? Less confusion when proxying one SSH connection through another, for one. FWIW, it mirrors what most Linux distros do. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Sun Oct 27 21:50:20 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 2B804A13 for ; Sun, 27 Oct 2013 21:50:20 +0000 (UTC) (envelope-from az@azsupport.com) Received: from as1.azsupport.com (azsupport.com [74.52.186.194]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 0EE0B2F4C for ; Sun, 27 Oct 2013 21:50:19 +0000 (UTC) Received: from localhost (unknown [109.75.144.107]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by as1.azsupport.com (Postfix) with ESMTPSA id 92CF63C5; Sun, 27 Oct 2013 22:50:18 +0100 (CET) Date: Sun, 27 Oct 2013 22:50:16 +0100 From: Andrei To: freebsd-security@freebsd.org, des@des.no Subject: Re: OpenPAM/SSHD privacy hole (FreeBSD 9.2+ affected) Message-ID: <20131027225016.3cdab10e@azsupport.com> In-Reply-To: <86txg2mm9n.fsf@nine.des.no> References: <20131023135408.38752099@azsupport.com> <1382529986.729788.498652166.90148.2@c-st.net> <86y55emw8a.fsf@nine.des.no> <20131027195755.00b0cb2c@azsupport.com> <86txg2mm9n.fsf@nine.des.no> Organization: azsupport.com X-Mailer: Claws Mail 3.9.2 (GTK+ 2.24.19; amd64-portbld-freebsd10.0) Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Oct 2013 21:50:20 -0000 On Sun, 27 Oct 2013 22:33:56 +0100 Dag-Erling Sm=C3=B8rgrav wrote: > Andrei writes: > > In /etc/pam.d/sshd from: > > auth required pam_unix.so no_warn > > try_first_pass to: > > auth required pam_unix.so no_warn try_first_pass authtok_prompt > > > > Right? >=20 > auth required pam_unix.so no_warn try_first_pass > authtok_prompt=3D"Password:" >=20 > BTW, I recently noticed that try_first_pass doesn't work as documented > (and hasn't for ten years), but I haven't had time to fix it yet. You might be surprised, but authtok_prompt=3D"Password:" have same results = as just authtok_prompt. Empty screen and no "Password:" prompt. FreeBSD 9.2 tested. Kind regards, Andrei. From owner-freebsd-security@FreeBSD.ORG Sun Oct 27 22:09:39 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 2736B2B1 for ; Sun, 27 Oct 2013 22:09:39 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from rack.patpro.net (rack.patpro.net [193.30.227.216]) by mx1.freebsd.org (Postfix) with ESMTP id C73B1207D for ; Sun, 27 Oct 2013 22:09:38 +0000 (UTC) Received: from [192.168.0.2] (boleskine.patpro.net [82.230.142.222]) by rack.patpro.net (Postfix) with ESMTPSA id 93864D9F; Sun, 27 Oct 2013 23:00:49 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=patpro.net; s=patpro; t=1382911250; bh=POYKLM5/tW7nT++osTM0onVAI3+6xAl5GsbqAxifu1w=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=hDKtbftYARqy7bDG569U5GGA6JB05ggnSt/7ATvSn8DsISJaweN9qtAHayc0P04Zu 9mKVrOrDdk8d9Q6fPPCbqHHRZ7UwwK2tvIUo1ipjlxL2RErpu90Ov0hTBaNi/oGNkw MOOjbirQs7DymYJaFy4L6T8pd+p6skoTVDVvlf5Y= Subject: Re: OpenPAM/SSHD privacy hole (FreeBSD 9.2+ affected) Mime-Version: 1.0 (Apple Message framework v1085) Content-Type: multipart/signed; boundary=Apple-Mail-6-877123519; protocol="application/pkcs7-signature"; micalg=sha1 From: Patrick Proniewski In-Reply-To: <20131027225016.3cdab10e@azsupport.com> Date: Sun, 27 Oct 2013 23:00:49 +0100 Message-Id: References: <20131023135408.38752099@azsupport.com> <1382529986.729788.498652166.90148.2@c-st.net> <86y55emw8a.fsf@nine.des.no> <20131027195755.00b0cb2c@azsupport.com> <86txg2mm9n.fsf@nine.des.no> <20131027225016.3cdab10e@azsupport.com> To: Liste FreeBSD-security X-Mailer: Apple Mail (2.1085) Cc: des@des.no, Andrei X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Oct 2013 22:09:39 -0000 --Apple-Mail-6-877123519 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=iso-8859-1 On 27 oct. 2013, at 22:50, Andrei wrote: > On Sun, 27 Oct 2013 22:33:56 +0100 > Dag-Erling Sm=F8rgrav wrote: >=20 >> Andrei writes: >>> In /etc/pam.d/sshd from: >>> auth required pam_unix.so no_warn >>> try_first_pass to: >>> auth required pam_unix.so no_warn try_first_pass authtok_prompt >>>=20 >>> Right? >>=20 >> auth required pam_unix.so no_warn try_first_pass >> authtok_prompt=3D"Password:" >>=20 >> BTW, I recently noticed that try_first_pass doesn't work as = documented >> (and hasn't for ten years), but I haven't had time to fix it yet. >=20 > You might be surprised, but authtok_prompt=3D"Password:" have same = results as > just authtok_prompt. Empty screen and no "Password:" prompt. > FreeBSD 9.2 tested. Same here (9.2-RELEASE amd64), whatever I put for authtok_prompt. The end of a verbose attempt reads:=20 debug3: authmethod_lookup keyboard-interactive debug3: remaining preferred: password debug3: authmethod_is_enabled keyboard-interactive debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1 and then, nothing. patpro --Apple-Mail-6-877123519 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIMXTCCBiEw ggUJoAMCAQICAwedeTANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0 YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcx ODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENB MB4XDTEzMDkxOTE2NDczNloXDTE0MDkyMDIwMzIzMFowPjEaMBgGA1UEAwwRcGF0cHJvQHBhdHBy by5uZXQxIDAeBgkqhkiG9w0BCQEWEXBhdHByb0BwYXRwcm8ubmV0MIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAu/qSths0KvCJzo4xd06L65nULi3ftCfnmm0FfLZwP/evO2q2FN99us4v mntuaYWY8QuVGiI3q99uc1xhT/lTNf5ruAXql50Bo6VQYwKvAbaJ+/Zyt6Xu9HHmL28Q3JUrLUNZ xGQX0yKAwauGEaynLVIspki376bdTw6JPHXESMXhorZkcXvB1N4NT0UDvbfywp/FlvKhIZaqHpgQ GVeeufOz0EZ5Aq1LnnEFTFrhh910aZUvE8yHw31krgR9Z/lsrd0K6oxXq/sGku9qlGfzgpRsRx0L eXCrEjhsiWkyGIx+Qf0HZHeBLenbw2IodmcCOGIGi41eYKDTKjpstwI+EQIDAQABo4IC1zCCAtMw CQYDVR0TBAIwADALBgNVHQ8EBAMCBLAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0G A1UdDgQWBBRxwDdnV9wAVX9RJEgQtaCVYN96DjAfBgNVHSMEGDAWgBRTcu2SnODaywFcfH6WNU7y 1LhRgjAcBgNVHREEFTATgRFwYXRwcm9AcGF0cHJvLm5ldDCCAUwGA1UdIASCAUMwggE/MIIBOwYL KwYBBAGBtTcBAgMwggEqMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9wb2xp Y3kucGRmMIH3BggrBgEFBQcCAjCB6jAnFiBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0 eTADAgEBGoG+VGhpcyBjZXJ0aWZpY2F0ZSB3YXMgaXNzdWVkIGFjY29yZGluZyB0byB0aGUgQ2xh c3MgMSBWYWxpZGF0aW9uIHJlcXVpcmVtZW50cyBvZiB0aGUgU3RhcnRDb20gQ0EgcG9saWN5LCBy ZWxpYW5jZSBvbmx5IGZvciB0aGUgaW50ZW5kZWQgcHVycG9zZSBpbiBjb21wbGlhbmNlIG9mIHRo ZSByZWx5aW5nIHBhcnR5IG9ibGlnYXRpb25zLjA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3Js LnN0YXJ0c3NsLmNvbS9jcnR1MS1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzAB hi1odHRwOi8vb2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMS9jbGllbnQvY2EwQgYIKwYBBQUH MAKGNmh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczEuY2xpZW50LmNhLmNy dDAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQELBQADggEB AIWpqqvnGz/+Ga2H2hdx5A1oh4QvNNOT3VvbhkGRl0eQhR6iEI4QboAXhoQRBcEi9PD0ZqmpRCWi Jxk5XNoIm7MZy3mMTL324vs5Sue5hmz75lVMPA2qNeFOfcXdSLhFKnDW1423fkRk82Zz/ZWDfhI6 tA40ril0zWub5DcQ+9ftt5QXwZ6dTtBvPrd8tSV8R3tQhj8Lc3pYZ8f9CE+N2WRd30Ql4yq6emFa /T0/GokzdTx2x2xApzVFd8Lw8LSpvEIrD3+eRLnPuyMOm+2vK3w7EWQ7qFXtFbG1d71Jdw6T+bwl corOK2MWFA8VvOghQBYTrUZhsJkGsKyOz+xYthEwggY0MIIEHKADAgECAgEeMA0GCSqGSIb3DQEB BQUAMH0xCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1 cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkwJwYDVQQDEyBTdGFydENvbSBDZXJ0aWZp Y2F0aW9uIEF1dGhvcml0eTAeFw0wNzEwMjQyMTAxNTVaFw0xNzEwMjQyMTAxNTVaMIGMMQswCQYD VQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg Q2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMSBQcmltYXJ5IElu dGVybWVkaWF0ZSBDbGllbnQgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHCYPM zi3YGrEppC4Tq5a+ijKDjKaIQZZVR63UbxIP6uq/I0fhCu+cQhoUfE6ERKKnu8zPf1Jwuk0tsvVC k6U9b+0UjM0dLep3ZdE1gblK/1FwYT5Pipsu2yOMluLqwvsuz9/9f1+1PKHG/FaR/wpbfuIqu54q zHDYeqiUfsYzoVflR80DAC7hmJ+SmZnNTWyUGHJbBpA8Q89lGxahNvuryGaC/o2/ceD2uYDX9U8E g5DpIpGQdcbQeGarV04WgAUjjXX5r/2dabmtxWMZwhZna//jdiSyrrSMTGKkDiXm6/3/4ebfeZuC YKzN2P8O2F/Xe2AC/Y7zeEsnR7FOp+uXAgMBAAGjggGtMIIBqTAPBgNVHRMBAf8EBTADAQH/MA4G A1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUU3Ltkpzg2ssBXHx+ljVO8tS4UYIwHwYDVR0jBBgwFoAU TgvvGqRAW6UXaYcwyjRoQ9BBrvIwZgYIKwYBBQUHAQEEWjBYMCcGCCsGAQUFBzABhhtodHRwOi8v b2NzcC5zdGFydHNzbC5jb20vY2EwLQYIKwYBBQUHMAKGIWh0dHA6Ly93d3cuc3RhcnRzc2wuY29t L3Nmc2NhLmNydDBbBgNVHR8EVDBSMCegJaAjhiFodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9zZnNj YS5jcmwwJ6AloCOGIWh0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDCBgAYDVR0gBHkw dzB1BgsrBgEEAYG1NwECATBmMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9w b2xpY3kucGRmMDQGCCsGAQUFBwIBFihodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9pbnRlcm1lZGlh dGUucGRmMA0GCSqGSIb3DQEBBQUAA4ICAQAKgwh9eKssBly4Y4xerhy5I3dNoXHYfYa8PlVLL/qt XnkFgdtY1o95CfegFJTwqBBmf8pyTUnFsukDFUI22zF5bVHzuJ+GxhnSqN2sD1qetbYwBYK2iyYA 5Pg7Er1A+hKMIzEzcduRkIMmCeUTyMyikfbUFvIBivtvkR8ZFAk22BZy+pJfAoedO61HTz4qSfQo CRcLN5A0t4DkuVhTMXIzuQ8CnykhExD6x4e6ebIbrjZLb7L+ocR0y4YjCl/Pd4MXU91y0vTipgr/ O75CDUHDRHCCKBVmz/Rzkc/b970MEeHt5LC3NiWTgBSvrLEuVzBKM586YoRD9Dy3OHQgWI270g+5 MYA8GfgI/EPT5G7xPbCDz+zjdH89PeR3U4So4lSXur6H6vp+m9TQXPF3a0LwZrp8MQ+Z77U1uL7T elWO5lApsbAonrqASfTpaprFVkL4nyGH+NHST2ZJPWIBk81i6Vw0ny0qZW2Niy/QvVNKbb43A43n y076khXO7cNbBIRdJ/6qQNq9Bqb5C0Q5nEsFcj75oxQRqlKf6TcvGbjxkJh8BYtv9ePsXklAxtm8 J7GCUBthHSQgepbkOexhJ0wP8imUkyiPHQ0GvEnd83129fZjoEhdGwXV27ioRKbj/cIq7JRXun0N beY+UdMYu9jGfIpDLtUUGSgsg2zMGs5R4jGCA28wggNrAgEBMIGUMIGMMQswCQYDVQQGEwJJTDEW MBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNh dGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMSBQcmltYXJ5IEludGVybWVkaWF0 ZSBDbGllbnQgQ0ECAwedeTAJBgUrDgMCGgUAoIIBrzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcB MBwGCSqGSIb3DQEJBTEPFw0xMzEwMjcyMjAwNDlaMCMGCSqGSIb3DQEJBDEWBBSEsoHOhU+GnMLT oBGMKdwdJSUyEzCBpQYJKwYBBAGCNxAEMYGXMIGUMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMN U3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmlu ZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMSBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQg Q0ECAwedeTCBpwYLKoZIhvcNAQkQAgsxgZeggZQwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1T dGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5n MTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAxIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBD QQIDB515MA0GCSqGSIb3DQEBAQUABIIBAAoANCi42QWsQGdNUmIWS4XZDPWhVX6qM2yQOJG8xvuq ukmmtL8PwvAPpiQRk0D00/nK4aFwGkXwW5JVuA7YLX1dxgLtUWCGfQJQzJr2zDynxAZlVZzEL2fG VkagShr/hCTKGGTnITTQl2jeJJ5pyDxxEyt3oCaywNtRvtNL66Bpe1wY/A7QwRKouY+VOKg0EI4I j8e+HyrUag1Rd0yTyPG1JuTcR0tADRQ+3lgwOnldfcrdHV0WAFSWLt/B6yHtk9z4nKViNkRLUdvh kIV+sAUObT/IAkzoQwpNVrqs9QMRotjSYECdum95wyDhy3h6IShmvQ4FVAKdFkGBvZ8Ubz0AAAAA AAA= --Apple-Mail-6-877123519-- From owner-freebsd-security@FreeBSD.ORG Sun Oct 27 23:05:07 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 20F59493; Sun, 27 Oct 2013 23:05:07 +0000 (UTC) (envelope-from prvs=1012be9d42=killing@multiplay.co.uk) Received: from mail1.multiplay.co.uk (mail1.multiplay.co.uk [85.236.96.23]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 8D666233C; Sun, 27 Oct 2013 23:05:06 +0000 (UTC) Received: from r2d2 ([82.69.179.245]) by mail1.multiplay.co.uk (mail1.multiplay.co.uk [85.236.96.23]) (MDaemon PRO v10.0.4) with ESMTP id md50006521624.msg; Sun, 27 Oct 2013 23:05:03 +0000 X-Spam-Processed: mail1.multiplay.co.uk, Sun, 27 Oct 2013 23:05:03 +0000 (not processed: message from valid local sender) X-MDDKIM-Result: neutral (mail1.multiplay.co.uk) X-MDRemoteIP: 82.69.179.245 X-Return-Path: prvs=1012be9d42=killing@multiplay.co.uk X-Envelope-From: killing@multiplay.co.uk Message-ID: From: "Steven Hartland" To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= References: <20131023135408.38752099@azsupport.com><1382529986.729788.498652166.90148.2@c-st.net><86y55emw8a.fsf@nine.des.no><8D7C4A668063437DBEEA0D513D51B662@multiplay.co.uk> <86ppqqmlij.fsf@nine.des.no> Subject: Re: OpenPAM/SSHD privacy hole (FreeBSD 9.2+ affected) Date: Sun, 27 Oct 2013 23:05:08 -0000 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="utf-8"; reply-type=original Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.5931 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157 Cc: freebsd-security@freebsd.org, Carlo Strub , az@azsupport.com X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Oct 2013 23:05:07 -0000 Thanks thats useful info :) ----- Original Message ----- From: "Dag-Erling Smørgrav" "Steven Hartland" writes: > Out of curiosity whats the reasoning behind it doing things? Less confusion when proxying one SSH connection through another, for one. FWIW, it mirrors what most Linux distros do. ================================================ This e.mail is private and confidential between Multiplay (UK) Ltd. and the person or entity to whom it is addressed. In the event of misdirection, the recipient is prohibited from using, copying, printing or otherwise disseminating it or any information contained in it. In the event of misdirection, illegible or incomplete transmission please telephone +44 845 868 1337 or return the E.mail to postmaster@multiplay.co.uk. From owner-freebsd-security@FreeBSD.ORG Mon Oct 28 19:57:08 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id C2902C0 for ; Mon, 28 Oct 2013 19:57:08 +0000 (UTC) (envelope-from az@azsupport.com) Received: from as1.azsupport.com (azsupport.com [74.52.186.194]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id A38A22973 for ; Mon, 28 Oct 2013 19:57:08 +0000 (UTC) Received: from localhost (unknown [109.75.144.107]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by as1.azsupport.com (Postfix) with ESMTPSA id 9F6645D5 for ; Mon, 28 Oct 2013 20:57:00 +0100 (CET) Date: Mon, 28 Oct 2013 20:56:57 +0100 From: Andrei To: freebsd-security@freebsd.org Subject: Re: OpenPAM/SSHD privacy hole (FreeBSD 9.2+ affected) Message-ID: <20131028205657.4952673a@azsupport.com> In-Reply-To: <86ppqqmlij.fsf@nine.des.no> References: <20131023135408.38752099@azsupport.com> <1382529986.729788.498652166.90148.2@c-st.net> <86y55emw8a.fsf@nine.des.no> <8D7C4A668063437DBEEA0D513D51B662@multiplay.co.uk> <86ppqqmlij.fsf@nine.des.no> Organization: azsupport.com X-Mailer: Claws Mail 3.9.2 (GTK+ 2.24.19; amd64-portbld-freebsd10.0) Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Oct 2013 19:57:08 -0000 On Sun, 27 Oct 2013 22:50:12 +0100 Dag-Erling Sm=C3=B8rgrav wrote: > "Steven Hartland" writes: > > Out of curiosity whats the reasoning behind it doing things? >=20 > Less confusion when proxying one SSH connection through another, for > one. FWIW, it mirrors what most Linux distros do. How about just IP as Linux do: az@az:~$ ssh test@1.2.3.4 test@1.2.3.4's password:=20 I think if you change the hostname to IP (without Linux style "'s" at the end of IP) in the default settings, in this case everyone will be happy. :) Kind regards, Andrei. From owner-freebsd-security@FreeBSD.ORG Tue Oct 29 12:42:58 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 6044F102 for ; Tue, 29 Oct 2013 12:42:58 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 21A2323A8 for ; Tue, 29 Oct 2013 12:42:57 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 05A4C637B; Tue, 29 Oct 2013 12:42:51 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 1C135B9E; Tue, 29 Oct 2013 13:42:52 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Andrei Subject: Re: OpenPAM/SSHD privacy hole (FreeBSD 9.2+ affected) References: <20131023135408.38752099@azsupport.com> <1382529986.729788.498652166.90148.2@c-st.net> <86y55emw8a.fsf@nine.des.no> <20131027195755.00b0cb2c@azsupport.com> <86txg2mm9n.fsf@nine.des.no> <20131027225016.3cdab10e@azsupport.com> Date: Tue, 29 Oct 2013 13:42:52 +0100 In-Reply-To: <20131027225016.3cdab10e@azsupport.com> (Andrei's message of "Sun, 27 Oct 2013 22:50:16 +0100") Message-ID: <86li1cmenn.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Oct 2013 12:42:58 -0000 Andrei writes: > You might be surprised, but authtok_prompt=3D"Password:" have same > results as just authtok_prompt. Empty screen and no "Password:" > prompt. FreeBSD 9.2 tested. That's interesting. It works in 10.0 (OpenPAM Nummularia). I will try to find the bug and consider issuing an errata notice for 9.1 and 9.2. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Fri Nov 1 16:08:07 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 3A5307B9 for ; Fri, 1 Nov 2013 16:08:07 +0000 (UTC) (envelope-from kpielorz_lst@tdx.co.uk) Received: from mail.tdx.com (mail.tdx.com [62.13.128.18]) by mx1.freebsd.org (Postfix) with ESMTP id 0402C26C0 for ; Fri, 1 Nov 2013 16:08:06 +0000 (UTC) Received: from Mail-PC.tdx.co.uk (storm.tdx.co.uk [62.13.130.251]) (authenticated bits=0) by mail.tdx.com (8.14.3/8.14.3/) with ESMTP id rA1G5pkM003304 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 1 Nov 2013 16:05:52 GMT Date: Fri, 01 Nov 2013 16:05:51 +0000 From: Karl Pielorz To: freebsd-security@freebsd.org Subject: ntpd 4.2.4p8 - up to date? Message-ID: <7403C046ABF387E5061BC441@Mail-PC.tdx.co.uk> X-Mailer: Mulberry/4.0.8 (Win32) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Nov 2013 16:08:07 -0000 Hi, A friend who uses linux a lot happened to notice on a FreeBSD box I installed the other day and updated to 9.2-R that it's using ntpd 4.2.4p8. They reckon that's had a lot of issues (e.g. CVE reports) against it - and it should be newer. I'm sure the one it has been 'updated' with is secure - and just reports that version, but if someone can confirm that'd be great, Thanks, -Karl From owner-freebsd-security@FreeBSD.ORG Fri Nov 1 16:31:09 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id EAA9A237 for ; Fri, 1 Nov 2013 16:31:09 +0000 (UTC) (envelope-from tevans.uk@googlemail.com) Received: from mail-lb0-x22b.google.com (mail-lb0-x22b.google.com [IPv6:2a00:1450:4010:c04::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 786EE2897 for ; Fri, 1 Nov 2013 16:31:09 +0000 (UTC) Received: by mail-lb0-f171.google.com with SMTP id x18so3644107lbi.16 for ; Fri, 01 Nov 2013 09:31:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=RKibIA2e0oZpPRDnad1qTdK4weBlqDENjTrHatQXaec=; b=L2yP5Ylz4RZXfXK9OYFUI19DCJM61ZoZgRnc45LdEu1f401OkpiVTTiVGSWJ/yPlwK Cmz5LYdXoEB2r8oWsp7/m49mEj1yVBtzRFNRbu2wnp/XnUs+zbA9KJhggzD8/6tjvgZz OEpoaoR37rkUPsrwlbpbYutXuKg/z9ZnkiXZS0/kvqDudvZX6mJVgRDEqs309MzYxu6h N2TmGcYg5X9enVRsGgYRfGGi8I139suUk2v0SRdba0MtcyjznetGPdHrwBxJ6BAOHqxO LnCYj+RaufS6LD6O2EGIZhYqqrIrI+nbptZ5RbiiHiinPhqwJBN6HKGdWOCv0tFqBO7g jcNw== MIME-Version: 1.0 X-Received: by 10.152.21.133 with SMTP id v5mr2528021lae.14.1383323467415; Fri, 01 Nov 2013 09:31:07 -0700 (PDT) Received: by 10.112.45.33 with HTTP; Fri, 1 Nov 2013 09:31:07 -0700 (PDT) In-Reply-To: <7403C046ABF387E5061BC441@Mail-PC.tdx.co.uk> References: <7403C046ABF387E5061BC441@Mail-PC.tdx.co.uk> Date: Fri, 1 Nov 2013 16:31:07 +0000 Message-ID: Subject: Re: ntpd 4.2.4p8 - up to date? From: Tom Evans To: Karl Pielorz Content-Type: text/plain; charset=UTF-8 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Nov 2013 16:31:10 -0000 On Fri, Nov 1, 2013 at 4:05 PM, Karl Pielorz wrote: > > Hi, > > A friend who uses linux a lot happened to notice on a FreeBSD box I > installed the other day and updated to 9.2-R that it's using ntpd 4.2.4p8. > > They reckon that's had a lot of issues (e.g. CVE reports) against it - and > it should be newer. > > I'm sure the one it has been 'updated' with is secure - and just reports > that version, but if someone can confirm that'd be great, > Don't take anything I say as confirmation, but I would have thought, looking at this page [1], that he is wrong. All the CVEs listed there say they apply to "before 4.2.4p8" or a lower version. Cheers Tom [1] http://www.cvedetails.com/vulnerability-list/vendor_id-2153/NTP.html From owner-freebsd-security@FreeBSD.ORG Sat Nov 2 00:18:36 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 2FD4E78C for ; Sat, 2 Nov 2013 00:18:36 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from tensor.andric.com (tensor.andric.com [87.251.56.140]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id E0F7B226A for ; Sat, 2 Nov 2013 00:18:35 +0000 (UTC) Received: from [IPv6:2001:7b8:3a7::174:a45e:dad6:ebfd] (unknown [IPv6:2001:7b8:3a7:0:174:a45e:dad6:ebfd]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by tensor.andric.com (Postfix) with ESMTPSA id 402885C45; Sat, 2 Nov 2013 01:18:33 +0100 (CET) Content-Type: multipart/signed; boundary="Apple-Mail=_AFE44133-5409-4CEA-AA9C-185A660ECAAE"; protocol="application/pgp-signature"; micalg=pgp-sha1 Mime-Version: 1.0 (Mac OS X Mail 7.0 \(1816\)) Subject: Re: ntpd 4.2.4p8 - up to date? From: Dimitry Andric In-Reply-To: Date: Sat, 2 Nov 2013 01:18:24 +0100 Message-Id: References: <7403C046ABF387E5061BC441@Mail-PC.tdx.co.uk> To: Tom Evans X-Mailer: Apple Mail (2.1816) X-Mailman-Approved-At: Sat, 02 Nov 2013 01:11:38 +0000 Cc: freebsd-security@freebsd.org, Karl Pielorz X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Nov 2013 00:18:36 -0000 --Apple-Mail=_AFE44133-5409-4CEA-AA9C-185A660ECAAE Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On 01 Nov 2013, at 17:31, Tom Evans wrote: > On Fri, Nov 1, 2013 at 4:05 PM, Karl Pielorz = wrote: >>=20 >> Hi, >>=20 >> A friend who uses linux a lot happened to notice on a FreeBSD box I >> installed the other day and updated to 9.2-R that it's using ntpd = 4.2.4p8. >>=20 >> They reckon that's had a lot of issues (e.g. CVE reports) against it = - and >> it should be newer. >>=20 >> I'm sure the one it has been 'updated' with is secure - and just = reports >> that version, but if someone can confirm that'd be great, >>=20 >=20 > Don't take anything I say as confirmation, but I would have thought, > looking at this page [1], that he is wrong. All the CVEs listed there > say they apply to "before 4.2.4p8" or a lower version. >=20 > Cheers >=20 > Tom >=20 > [1] = http://www.cvedetails.com/vulnerability-list/vendor_id-2153/NTP.html That page lists a bunch of CVEs, and the relevant ones have already had = FreeBSD security advisories: CVE-2009-3563 = http://www.freebsd.org/security/advisories/FreeBSD-SA-10:02.ntpd.asc CVE-2009-1252 = http://www.freebsd.org/security/advisories/FreeBSD-SA-09:11.ntpd.asc CVE-2009-0159 not relevant, NTP before 4.2.4p7-RC2 CVE-2009-0021 not relevant, NTP before 4.2.4p5 CVE-2004-0657 not relevant, NTP before 4.0 -DImitry --Apple-Mail=_AFE44133-5409-4CEA-AA9C-185A660ECAAE Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) iEYEARECAAYFAlJ0RNcACgkQsF6jCi4glqOiMQCgqEK/KuTOr2w4M7U5gzf7WkgS kDgAoKmSKYv02vDgwFz1H/N9PQEWkdyQ =7dOs -----END PGP SIGNATURE----- --Apple-Mail=_AFE44133-5409-4CEA-AA9C-185A660ECAAE-- From owner-freebsd-security@FreeBSD.ORG Sat Nov 2 20:24:57 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id CBB1844D; Sat, 2 Nov 2013 20:24:57 +0000 (UTC) (envelope-from kpielorz_lst@tdx.co.uk) Received: from mail.tdx.com (mail.tdx.com [62.13.128.18]) by mx1.freebsd.org (Postfix) with ESMTP id 911642732; Sat, 2 Nov 2013 20:24:57 +0000 (UTC) Received: from study64.tdx.co.uk (study64.tdx.co.uk [62.13.130.231]) (authenticated bits=0) by mail.tdx.com (8.14.3/8.14.3/) with ESMTP id rA2KOn76046183 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 2 Nov 2013 20:24:49 GMT Date: Sat, 02 Nov 2013 20:24:48 +0100 From: Karl Pielorz To: Dimitry Andric Subject: Re: ntpd 4.2.4p8 - up to date? Message-ID: In-Reply-To: References: <7403C046ABF387E5061BC441@Mail-PC.tdx.co.uk> X-Mailer: Mulberry/4.0.8 (Mac OS X) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Nov 2013 20:24:57 -0000 --On 2 November 2013 01:18:24 +0100 Dimitry Andric wrote: >> [1] http://www.cvedetails.com/vulnerability-list/vendor_id-2153/NTP.html > > That page lists a bunch of CVEs, and the relevant ones have already had > FreeBSD security advisories: > > CVE-2009-3563 > http://www.freebsd.org/security/advisories/FreeBSD-SA-10:02.ntpd.asc > CVE-2009-1252 > http://www.freebsd.org/security/advisories/FreeBSD-SA-09:11.ntpd.asc > CVE-2009-0159 not relevant, NTP before 4.2.4p7-RC2 > CVE-2009-0021 not relevant, NTP before 4.2.4p5 > CVE-2004-0657 not relevant, NTP before 4.0 So as I'd kind of guessed - it's not really vanilla 4.2.4p8 that it's running, it's based on 4.2.4p8 with additional patches that have been applied by FreeBSD, to address the applicable notifications? -Karl From owner-freebsd-security@FreeBSD.ORG Sat Nov 2 22:59:43 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 1E7406FA for ; Sat, 2 Nov 2013 22:59:43 +0000 (UTC) (envelope-from list_freebsd@bluerosetech.com) Received: from yoshi.bluerosetech.com (yoshi.bluerosetech.com [IPv6:2607:f2f8:a450::66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 0575B2D5C for ; Sat, 2 Nov 2013 22:59:43 +0000 (UTC) Received: from chombo.houseloki.net (unknown [IPv6:2601:7:1680:365:21c:c0ff:fe7f:96ee]) by yoshi.bluerosetech.com (Postfix) with ESMTPSA id 48C93E606C; Sat, 2 Nov 2013 15:59:42 -0700 (PDT) Received: from [IPv6:2601:7:1680:365:4055:e8ed:3d40:2f96] (unknown [IPv6:2601:7:1680:365:4055:e8ed:3d40:2f96]) by chombo.houseloki.net (Postfix) with ESMTPSA id 3AE80DE3; Sat, 2 Nov 2013 15:59:41 -0700 (PDT) Message-ID: <527583D4.70409@bluerosetech.com> Date: Sat, 02 Nov 2013 15:59:32 -0700 From: Darren Pilgrim User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.0 MIME-Version: 1.0 To: Karl Pielorz , freebsd-security@freebsd.org Subject: Re: ntpd 4.2.4p8 - up to date? References: <7403C046ABF387E5061BC441@Mail-PC.tdx.co.uk> In-Reply-To: <7403C046ABF387E5061BC441@Mail-PC.tdx.co.uk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Nov 2013 22:59:43 -0000 On 11/1/2013 9:05 AM, Karl Pielorz wrote: > A friend who uses linux a lot happened to notice on a FreeBSD box I > installed the other day and updated to 9.2-R that it's using ntpd 4.2.4p8. There are two ntpd's in ports: a newer version of the one in base (it's literally a drop in replacement) and OpenBSD's openntpd. If you just need a local accurate clock and maybe time service for your LAN, the one in base is ok because you can configure it to workaround the open CVEs. If you're running a public NTP service, you can't workaround spoofing vulnerabilities, so use one of the ports because you can keep it up to date much more easily. You can remove ntpd from the base yourself: 1. Add "WITHOUT_NTP" to /etc/src.conf 2. Run the delete-old and delete-old-libs targets to "uninstall" the base ntpd. 3. Install ports/etc/ntp The port uses the in-base RC script, so you need to set ntpd_program="/usr/local/bin/ntpd" ntpd_config="/usr/local/etc/ntp.conf" in /etc/rc.conf to repoint the script at the port. You don't have to move ntp.conf, but /etc/ntp.conf gets removed by the delete-old target.