Date: Wed, 23 Oct 2013 14:06:26 +0200 From: Carlo Strub <cs@FreeBSD.org> To: az@azsupport.com Cc: freebsd-security@freebsd.org, des@freebsd.org Subject: Re: OpenPAM/SSHD privacy hole (FreeBSD 9.2+ affected) Message-ID: <1382529986.729788.498652166.90148.2@c-st.net> In-Reply-To: <20131023135408.38752099@azsupport.com> References: <20131023135408.38752099@azsupport.com>
next in thread | previous in thread | raw e-mail | index | archive | help
23/10/2013 13:56 - Andrei wrote: > Hello, > > I found that in the new FreeBSD 9.2 (probably in 10 also) updated OpenPAM sources. > The big embarrassment was in pam_get_authtok.c. The problem is that even without a > valid SSH login it's possible to know the server's hostname. > > az@az:/home/az % ssh 1.2.3.4 > Password for az@real.hostname.com: > > Changes made by "des": http://www.openpam.org/changeset/510/openpam/trunk/lib > > I really do not think that this behavior must be present! I ask the community to > pay > attention to it and remove these harmful changes. > > Kind regards, > Andrei. > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > I agree. That looks like an unnecessary privacy violation to me. What do you think des@?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1382529986.729788.498652166.90148.2>