From owner-freebsd-security@FreeBSD.ORG Sun Oct 27 22:09:39 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 2736B2B1 for ; Sun, 27 Oct 2013 22:09:39 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from rack.patpro.net (rack.patpro.net [193.30.227.216]) by mx1.freebsd.org (Postfix) with ESMTP id C73B1207D for ; Sun, 27 Oct 2013 22:09:38 +0000 (UTC) Received: from [192.168.0.2] (boleskine.patpro.net [82.230.142.222]) by rack.patpro.net (Postfix) with ESMTPSA id 93864D9F; Sun, 27 Oct 2013 23:00:49 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=patpro.net; s=patpro; t=1382911250; bh=POYKLM5/tW7nT++osTM0onVAI3+6xAl5GsbqAxifu1w=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=hDKtbftYARqy7bDG569U5GGA6JB05ggnSt/7ATvSn8DsISJaweN9qtAHayc0P04Zu 9mKVrOrDdk8d9Q6fPPCbqHHRZ7UwwK2tvIUo1ipjlxL2RErpu90Ov0hTBaNi/oGNkw MOOjbirQs7DymYJaFy4L6T8pd+p6skoTVDVvlf5Y= Subject: Re: OpenPAM/SSHD privacy hole (FreeBSD 9.2+ affected) Mime-Version: 1.0 (Apple Message framework v1085) Content-Type: multipart/signed; boundary=Apple-Mail-6-877123519; protocol="application/pkcs7-signature"; micalg=sha1 From: Patrick Proniewski In-Reply-To: <20131027225016.3cdab10e@azsupport.com> Date: Sun, 27 Oct 2013 23:00:49 +0100 Message-Id: References: <20131023135408.38752099@azsupport.com> <1382529986.729788.498652166.90148.2@c-st.net> <86y55emw8a.fsf@nine.des.no> <20131027195755.00b0cb2c@azsupport.com> <86txg2mm9n.fsf@nine.des.no> <20131027225016.3cdab10e@azsupport.com> To: Liste FreeBSD-security X-Mailer: Apple Mail (2.1085) Cc: des@des.no, Andrei X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Oct 2013 22:09:39 -0000 --Apple-Mail-6-877123519 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=iso-8859-1 On 27 oct. 2013, at 22:50, Andrei wrote: > On Sun, 27 Oct 2013 22:33:56 +0100 > Dag-Erling Sm=F8rgrav wrote: >=20 >> Andrei writes: >>> In /etc/pam.d/sshd from: >>> auth required pam_unix.so no_warn >>> try_first_pass to: >>> auth required pam_unix.so no_warn try_first_pass authtok_prompt >>>=20 >>> Right? >>=20 >> auth required pam_unix.so no_warn try_first_pass >> authtok_prompt=3D"Password:" >>=20 >> BTW, I recently noticed that try_first_pass doesn't work as = documented >> (and hasn't for ten years), but I haven't had time to fix it yet. >=20 > You might be surprised, but authtok_prompt=3D"Password:" have same = results as > just authtok_prompt. Empty screen and no "Password:" prompt. > FreeBSD 9.2 tested. Same here (9.2-RELEASE amd64), whatever I put for authtok_prompt. The end of a verbose attempt reads:=20 debug3: authmethod_lookup keyboard-interactive debug3: remaining preferred: password debug3: authmethod_is_enabled keyboard-interactive debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1 and then, nothing. patpro --Apple-Mail-6-877123519 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIMXTCCBiEw ggUJoAMCAQICAwedeTANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0 YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcx ODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENB MB4XDTEzMDkxOTE2NDczNloXDTE0MDkyMDIwMzIzMFowPjEaMBgGA1UEAwwRcGF0cHJvQHBhdHBy by5uZXQxIDAeBgkqhkiG9w0BCQEWEXBhdHByb0BwYXRwcm8ubmV0MIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAu/qSths0KvCJzo4xd06L65nULi3ftCfnmm0FfLZwP/evO2q2FN99us4v mntuaYWY8QuVGiI3q99uc1xhT/lTNf5ruAXql50Bo6VQYwKvAbaJ+/Zyt6Xu9HHmL28Q3JUrLUNZ xGQX0yKAwauGEaynLVIspki376bdTw6JPHXESMXhorZkcXvB1N4NT0UDvbfywp/FlvKhIZaqHpgQ GVeeufOz0EZ5Aq1LnnEFTFrhh910aZUvE8yHw31krgR9Z/lsrd0K6oxXq/sGku9qlGfzgpRsRx0L eXCrEjhsiWkyGIx+Qf0HZHeBLenbw2IodmcCOGIGi41eYKDTKjpstwI+EQIDAQABo4IC1zCCAtMw CQYDVR0TBAIwADALBgNVHQ8EBAMCBLAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0G A1UdDgQWBBRxwDdnV9wAVX9RJEgQtaCVYN96DjAfBgNVHSMEGDAWgBRTcu2SnODaywFcfH6WNU7y 1LhRgjAcBgNVHREEFTATgRFwYXRwcm9AcGF0cHJvLm5ldDCCAUwGA1UdIASCAUMwggE/MIIBOwYL KwYBBAGBtTcBAgMwggEqMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9wb2xp Y3kucGRmMIH3BggrBgEFBQcCAjCB6jAnFiBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0 eTADAgEBGoG+VGhpcyBjZXJ0aWZpY2F0ZSB3YXMgaXNzdWVkIGFjY29yZGluZyB0byB0aGUgQ2xh c3MgMSBWYWxpZGF0aW9uIHJlcXVpcmVtZW50cyBvZiB0aGUgU3RhcnRDb20gQ0EgcG9saWN5LCBy ZWxpYW5jZSBvbmx5IGZvciB0aGUgaW50ZW5kZWQgcHVycG9zZSBpbiBjb21wbGlhbmNlIG9mIHRo ZSByZWx5aW5nIHBhcnR5IG9ibGlnYXRpb25zLjA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3Js LnN0YXJ0c3NsLmNvbS9jcnR1MS1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzAB hi1odHRwOi8vb2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMS9jbGllbnQvY2EwQgYIKwYBBQUH MAKGNmh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczEuY2xpZW50LmNhLmNy dDAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQELBQADggEB AIWpqqvnGz/+Ga2H2hdx5A1oh4QvNNOT3VvbhkGRl0eQhR6iEI4QboAXhoQRBcEi9PD0ZqmpRCWi Jxk5XNoIm7MZy3mMTL324vs5Sue5hmz75lVMPA2qNeFOfcXdSLhFKnDW1423fkRk82Zz/ZWDfhI6 tA40ril0zWub5DcQ+9ftt5QXwZ6dTtBvPrd8tSV8R3tQhj8Lc3pYZ8f9CE+N2WRd30Ql4yq6emFa /T0/GokzdTx2x2xApzVFd8Lw8LSpvEIrD3+eRLnPuyMOm+2vK3w7EWQ7qFXtFbG1d71Jdw6T+bwl corOK2MWFA8VvOghQBYTrUZhsJkGsKyOz+xYthEwggY0MIIEHKADAgECAgEeMA0GCSqGSIb3DQEB BQUAMH0xCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1 cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkwJwYDVQQDEyBTdGFydENvbSBDZXJ0aWZp Y2F0aW9uIEF1dGhvcml0eTAeFw0wNzEwMjQyMTAxNTVaFw0xNzEwMjQyMTAxNTVaMIGMMQswCQYD VQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg Q2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMSBQcmltYXJ5IElu dGVybWVkaWF0ZSBDbGllbnQgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHCYPM zi3YGrEppC4Tq5a+ijKDjKaIQZZVR63UbxIP6uq/I0fhCu+cQhoUfE6ERKKnu8zPf1Jwuk0tsvVC k6U9b+0UjM0dLep3ZdE1gblK/1FwYT5Pipsu2yOMluLqwvsuz9/9f1+1PKHG/FaR/wpbfuIqu54q zHDYeqiUfsYzoVflR80DAC7hmJ+SmZnNTWyUGHJbBpA8Q89lGxahNvuryGaC/o2/ceD2uYDX9U8E g5DpIpGQdcbQeGarV04WgAUjjXX5r/2dabmtxWMZwhZna//jdiSyrrSMTGKkDiXm6/3/4ebfeZuC YKzN2P8O2F/Xe2AC/Y7zeEsnR7FOp+uXAgMBAAGjggGtMIIBqTAPBgNVHRMBAf8EBTADAQH/MA4G A1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUU3Ltkpzg2ssBXHx+ljVO8tS4UYIwHwYDVR0jBBgwFoAU TgvvGqRAW6UXaYcwyjRoQ9BBrvIwZgYIKwYBBQUHAQEEWjBYMCcGCCsGAQUFBzABhhtodHRwOi8v b2NzcC5zdGFydHNzbC5jb20vY2EwLQYIKwYBBQUHMAKGIWh0dHA6Ly93d3cuc3RhcnRzc2wuY29t L3Nmc2NhLmNydDBbBgNVHR8EVDBSMCegJaAjhiFodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9zZnNj YS5jcmwwJ6AloCOGIWh0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDCBgAYDVR0gBHkw dzB1BgsrBgEEAYG1NwECATBmMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9w b2xpY3kucGRmMDQGCCsGAQUFBwIBFihodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9pbnRlcm1lZGlh dGUucGRmMA0GCSqGSIb3DQEBBQUAA4ICAQAKgwh9eKssBly4Y4xerhy5I3dNoXHYfYa8PlVLL/qt XnkFgdtY1o95CfegFJTwqBBmf8pyTUnFsukDFUI22zF5bVHzuJ+GxhnSqN2sD1qetbYwBYK2iyYA 5Pg7Er1A+hKMIzEzcduRkIMmCeUTyMyikfbUFvIBivtvkR8ZFAk22BZy+pJfAoedO61HTz4qSfQo CRcLN5A0t4DkuVhTMXIzuQ8CnykhExD6x4e6ebIbrjZLb7L+ocR0y4YjCl/Pd4MXU91y0vTipgr/ O75CDUHDRHCCKBVmz/Rzkc/b970MEeHt5LC3NiWTgBSvrLEuVzBKM586YoRD9Dy3OHQgWI270g+5 MYA8GfgI/EPT5G7xPbCDz+zjdH89PeR3U4So4lSXur6H6vp+m9TQXPF3a0LwZrp8MQ+Z77U1uL7T elWO5lApsbAonrqASfTpaprFVkL4nyGH+NHST2ZJPWIBk81i6Vw0ny0qZW2Niy/QvVNKbb43A43n y076khXO7cNbBIRdJ/6qQNq9Bqb5C0Q5nEsFcj75oxQRqlKf6TcvGbjxkJh8BYtv9ePsXklAxtm8 J7GCUBthHSQgepbkOexhJ0wP8imUkyiPHQ0GvEnd83129fZjoEhdGwXV27ioRKbj/cIq7JRXun0N beY+UdMYu9jGfIpDLtUUGSgsg2zMGs5R4jGCA28wggNrAgEBMIGUMIGMMQswCQYDVQQGEwJJTDEW MBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNh dGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMSBQcmltYXJ5IEludGVybWVkaWF0 ZSBDbGllbnQgQ0ECAwedeTAJBgUrDgMCGgUAoIIBrzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcB MBwGCSqGSIb3DQEJBTEPFw0xMzEwMjcyMjAwNDlaMCMGCSqGSIb3DQEJBDEWBBSEsoHOhU+GnMLT oBGMKdwdJSUyEzCBpQYJKwYBBAGCNxAEMYGXMIGUMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMN U3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmlu ZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMSBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQg Q0ECAwedeTCBpwYLKoZIhvcNAQkQAgsxgZeggZQwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1T dGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5n MTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAxIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBD QQIDB515MA0GCSqGSIb3DQEBAQUABIIBAAoANCi42QWsQGdNUmIWS4XZDPWhVX6qM2yQOJG8xvuq ukmmtL8PwvAPpiQRk0D00/nK4aFwGkXwW5JVuA7YLX1dxgLtUWCGfQJQzJr2zDynxAZlVZzEL2fG VkagShr/hCTKGGTnITTQl2jeJJ5pyDxxEyt3oCaywNtRvtNL66Bpe1wY/A7QwRKouY+VOKg0EI4I j8e+HyrUag1Rd0yTyPG1JuTcR0tADRQ+3lgwOnldfcrdHV0WAFSWLt/B6yHtk9z4nKViNkRLUdvh kIV+sAUObT/IAkzoQwpNVrqs9QMRotjSYECdum95wyDhy3h6IShmvQ4FVAKdFkGBvZ8Ubz0AAAAA AAA= --Apple-Mail-6-877123519--