From owner-svn-src-stable-9@FreeBSD.ORG Sun Dec 11 16:57:28 2011 Return-Path: Delivered-To: svn-src-stable-9@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 26841106564A; Sun, 11 Dec 2011 16:57:28 +0000 (UTC) (envelope-from des@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 0CAB28FC0A; Sun, 11 Dec 2011 16:57:28 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id pBBGvRHj060662; Sun, 11 Dec 2011 16:57:27 GMT (envelope-from des@svn.freebsd.org) Received: (from des@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id pBBGvRVF060660; Sun, 11 Dec 2011 16:57:27 GMT (envelope-from des@svn.freebsd.org) Message-Id: <201112111657.pBBGvRVF060660@svn.freebsd.org> From: Dag-Erling Smorgrav Date: Sun, 11 Dec 2011 16:57:27 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org X-SVN-Group: stable-9 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r228410 - stable/9/lib/libpam/modules/pam_ssh X-BeenThere: svn-src-stable-9@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for only the 9-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Dec 2011 16:57:28 -0000 Author: des Date: Sun Dec 11 16:57:27 2011 New Revision: 228410 URL: http://svn.freebsd.org/changeset/base/228410 Log: MFH r227757: check for null passphrases, since openssl doesn't Approved by: re (kib) Security: prevents users with unencrypted ssh keys (prohibited unless the nullok option is specified) from logging in by providing a bogus non-null passphrase. Modified: stable/9/lib/libpam/modules/pam_ssh/pam_ssh.c Directory Properties: stable/9/lib/libpam/ (props changed) Modified: stable/9/lib/libpam/modules/pam_ssh/pam_ssh.c ============================================================================== --- stable/9/lib/libpam/modules/pam_ssh/pam_ssh.c Sun Dec 11 14:01:11 2011 (r228409) +++ stable/9/lib/libpam/modules/pam_ssh/pam_ssh.c Sun Dec 11 16:57:27 2011 (r228410) @@ -91,7 +91,8 @@ static char *const pam_ssh_agent_envp[] * struct pam_ssh_key containing the key and its comment. */ static struct pam_ssh_key * -pam_ssh_load_key(const char *dir, const char *kfn, const char *passphrase) +pam_ssh_load_key(const char *dir, const char *kfn, const char *passphrase, + int nullok) { struct pam_ssh_key *psk; char fn[PATH_MAX]; @@ -101,7 +102,21 @@ pam_ssh_load_key(const char *dir, const if (snprintf(fn, sizeof(fn), "%s/%s", dir, kfn) > (int)sizeof(fn)) return (NULL); comment = NULL; - key = key_load_private(fn, passphrase, &comment); + /* + * If the key is unencrypted, OpenSSL ignores the passphrase, so + * it will seem like the user typed in the right one. This allows + * a user to circumvent nullok by providing a dummy passphrase. + * Verify that the key really *is* encrypted by trying to load it + * with an empty passphrase, and if the key is not encrypted, + * accept only an empty passphrase. + */ + key = key_load_private(fn, NULL, &comment); + if (key != NULL && !(*passphrase == '\0' && nullok)) { + key_free(key); + return (NULL); + } + if (key == NULL) + key = key_load_private(fn, passphrase, &comment); if (key == NULL) { openpam_log(PAM_LOG_DEBUG, "failed to load key from %s", fn); return (NULL); @@ -168,9 +183,6 @@ pam_sm_authenticate(pam_handle_t *pamh, if (pam_err != PAM_SUCCESS) return (pam_err); - if (*passphrase == '\0' && !nullok) - goto skip_keys; - /* switch to user credentials */ pam_err = openpam_borrow_cred(pamh, pwd); if (pam_err != PAM_SUCCESS) @@ -178,7 +190,7 @@ pam_sm_authenticate(pam_handle_t *pamh, /* try to load keys from all keyfiles we know of */ for (kfn = pam_ssh_keyfiles; *kfn != NULL; ++kfn) { - psk = pam_ssh_load_key(pwd->pw_dir, *kfn, passphrase); + psk = pam_ssh_load_key(pwd->pw_dir, *kfn, passphrase, nullok); if (psk != NULL) { pam_set_data(pamh, *kfn, psk, pam_ssh_free_key); ++nkeys; @@ -188,7 +200,6 @@ pam_sm_authenticate(pam_handle_t *pamh, /* switch back to arbitrator credentials */ openpam_restore_cred(pamh); - skip_keys: /* * If we tried an old token and didn't get anything, and * try_first_pass was specified, try again after prompting the From owner-svn-src-stable-9@FreeBSD.ORG Tue Dec 13 12:59:39 2011 Return-Path: Delivered-To: svn-src-stable-9@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BDF81106566B; Tue, 13 Dec 2011 12:59:39 +0000 (UTC) (envelope-from des@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id AC39E8FC0A; Tue, 13 Dec 2011 12:59:39 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id pBDCxduh050689; Tue, 13 Dec 2011 12:59:39 GMT (envelope-from des@svn.freebsd.org) Received: (from des@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id pBDCxduA050687; Tue, 13 Dec 2011 12:59:39 GMT (envelope-from des@svn.freebsd.org) Message-Id: <201112131259.pBDCxduA050687@svn.freebsd.org> From: Dag-Erling Smorgrav Date: Tue, 13 Dec 2011 12:59:39 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org X-SVN-Group: stable-9 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r228464 - stable/9/contrib/openpam/lib X-BeenThere: svn-src-stable-9@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for only the 9-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Dec 2011 12:59:39 -0000 Author: des Date: Tue Dec 13 12:59:39 2011 New Revision: 228464 URL: http://svn.freebsd.org/changeset/base/228464 Log: MFH r228384: validate the service name Approved by: re (kib) Security: some poorly thought out programs allow the user to specify the service name; this patch makes it harder to trick these programs into loading and executing arbitrary code. Modified: stable/9/contrib/openpam/lib/openpam_configure.c Directory Properties: stable/9/contrib/openpam/ (props changed) Modified: stable/9/contrib/openpam/lib/openpam_configure.c ============================================================================== --- stable/9/contrib/openpam/lib/openpam_configure.c Tue Dec 13 11:54:51 2011 (r228463) +++ stable/9/contrib/openpam/lib/openpam_configure.c Tue Dec 13 12:59:39 2011 (r228464) @@ -285,6 +285,13 @@ openpam_load_chain(pam_handle_t *pamh, size_t len; int r; + /* don't allow to escape from policy_path */ + if (strchr(service, '/')) { + openpam_log(PAM_LOG_ERROR, "invalid service name: %s", + service); + return (-PAM_SYSTEM_ERR); + } + for (path = openpam_policy_path; *path != NULL; ++path) { len = strlen(*path); if ((*path)[len - 1] == '/') {