Date: Sun, 27 Oct 2013 19:57:55 +0100 From: Andrei <az@azsupport.com> To: freebsd-security@freebsd.org, des@des.no Subject: Re: OpenPAM/SSHD privacy hole (FreeBSD 9.2+ affected) Message-ID: <20131027195755.00b0cb2c@azsupport.com> In-Reply-To: <86y55emw8a.fsf@nine.des.no> References: <20131023135408.38752099@azsupport.com> <1382529986.729788.498652166.90148.2@c-st.net> <86y55emw8a.fsf@nine.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 27 Oct 2013 18:58:45 +0100 Dag-Erling Smørgrav <des@des.no> wrote: > >> I found that in the new FreeBSD 9.2 (probably in 10 also) updated > >> OpenPAM sources. The big embarrassment was in pam_get_authtok.c. > >> The problem is that even without a valid SSH login it's possible > >> to know the server's hostname. > > I agree. That looks like an unnecessary privacy violation to me. > > What do you think des@? > > No. This is intentional, and I will not change it. If you don't like > it, you can override the default prompt in your PAM policy; see the > pam_get_authtok() man page for details. In /etc/pam.d/sshd from: auth required pam_unix.so no_warn try_first_pass to: auth required pam_unix.so no_warn try_first_pass authtok_prompt Right? Kind regards, Andrei.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20131027195755.00b0cb2c>