From owner-freebsd-security@FreeBSD.ORG Tue Nov 15 22:17:34 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AC0131065670 for ; Tue, 15 Nov 2011 22:17:34 +0000 (UTC) (envelope-from guy.helmer@palisadesystems.com) Received: from ps-2-a.compliancesafe.com (ps-2-a.compliancesafe.com [216.81.161.163]) by mx1.freebsd.org (Postfix) with ESMTP id 72E788FC08 for ; Tue, 15 Nov 2011 22:17:34 +0000 (UTC) Received: from mail.palisadesystems.com (localhost.compliancesafe.com [127.0.0.1]) by ps-2-a.compliancesafe.com (8.14.4/8.14.3) with ESMTP id pAFMH80A091682; Tue, 15 Nov 2011 16:17:09 -0600 (CST) (envelope-from guy.helmer@palisadesystems.com) Received: from guysmbp.dyn.palisadesys.com (GuysMBP.dyn.palisadesys.com [172.16.2.90]) (authenticated bits=0) by mail.palisadesystems.com (8.14.3/8.14.3) with ESMTP id pAFMGxcT089915 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Tue, 15 Nov 2011 16:17:00 -0600 (CST) (envelope-from guy.helmer@palisadesystems.com) X-DKIM: Sendmail DKIM Filter v2.8.3 mail.palisadesystems.com pAFMGxcT089915 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=palisadesystems.com; s=mail; t=1321395420; bh=GlzlvBN6GUj29PpNYQaQ0gVF7H3rnT56QUXCjCyL4hU=; l=128; h=Subject:Mime-Version:Content-Type:From:In-Reply-To:Date:Cc: Content-Transfer-Encoding:Message-Id:References:To; b=meCvptbwgt55ZgfKY0Gsq4Tci95BLXil9T8yw9xBuY/AATc6hNUIgrZJrqxHFRkFb MUpoUmA4C/DA3lCfWnXAXEV0tfEj8gUv/OwmbSgE5ns3GNFEmTV7K1ZtfKssJNDqWb deeOXd32xEQElA9baCMAK4JzbQypfvqvUaRpMui0= Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: text/plain; charset=iso-8859-1 From: Guy Helmer In-Reply-To: <86ty65qecx.fsf@ds4.des.no> Date: Tue, 15 Nov 2011 16:17:03 -0600 Content-Transfer-Encoding: quoted-printable Message-Id: References: <98001F9B-0B96-4D17-9EAE-08B12A1C1C75@palisadesystems.com> <86ty65qecx.fsf@ds4.des.no> To: =?iso-8859-1?Q?Dag-Erling_Sm=F8rgrav?= X-Mailer: Apple Mail (2.1251.1) X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.5 (mail.palisadesystems.com [172.16.1.5]); Tue, 15 Nov 2011 16:17:00 -0600 (CST) X-Palisade-MailScanner-Information: Please contact the ISP for more information X-Palisade-MailScanner-ID: pAFMGxcT089915 X-Palisade-MailScanner: Found to be clean X-Palisade-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=-2.9, required 5, autolearn=not spam, ALL_TRUSTED -1.00, BAYES_00 -1.90) X-Palisade-MailScanner-From: guy.helmer@palisadesystems.com X-Spam-Status: No X-PacketSure-Scanned: Yes X-Mailman-Approved-At: Tue, 15 Nov 2011 22:21:36 +0000 Cc: freebsd-security@freebsd.org Subject: Re: Possible pam_ssh bug? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Nov 2011 22:17:34 -0000 On Nov 15, 2011, at 3:12 PM, Dag-Erling Sm=F8rgrav wrote: > Guy Helmer writes: >> I have a shell user who is able to login to his accounts via sshd on >> FreeBSD 8.2 using any password. The user had a .ssh/id_rsa and >> .ssh/id_rsa.pub key pair without a password but nullok was not >> specified, so I think this should be considered a bug. >=20 > It turns out that this goes all the way to OpenSSL, which ignores the > passphrase if the key is not encrypted. The only solution I can think > of - more of a workaround, really - is to first try to load the key = with > an empty passphrase, and skip the key if that worked. See the = attached > (untested) patch. >=20 > A more advanced patch would load all keys but require at least one of > them to have a passphrase. >=20 > DES > --=20 > Dag-Erling Sm=F8rgrav - des@des.no >=20 > Yes, that patch applied OK to the 8.2 test machine and resolved the = issue with the unencrypted id_rsa private key. I didn't know of any = other way to check the key either - nothing jumped out at me from the = OpenSSL API documentation. Thanks for the quick turnaround, Guy -------- This message has been scanned by ComplianceSafe, powered by Palisade's PacketSure.