From owner-freebsd-bugs@FreeBSD.ORG Mon Nov 30 10:40:02 2009 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E862B106566B for ; Mon, 30 Nov 2009 10:40:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id A87CE8FC17 for ; Mon, 30 Nov 2009 10:40:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id nAUAe1JP016169 for ; Mon, 30 Nov 2009 10:40:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id nAUAe11w016168; Mon, 30 Nov 2009 10:40:01 GMT (envelope-from gnats) Resent-Date: Mon, 30 Nov 2009 10:40:01 GMT Resent-Message-Id: <200911301040.nAUAe11w016168@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Olaf Seibert Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8C37F106566B for ; Mon, 30 Nov 2009 10:31:34 +0000 (UTC) (envelope-from O.Seibert@cs.ru.nl) Received: from rustug.science.ru.nl (rustug.science.ru.nl [131.174.16.158]) by mx1.freebsd.org (Postfix) with ESMTP id 123F18FC08 for ; Mon, 30 Nov 2009 10:31:33 +0000 (UTC) Received: from kookpunt.science.ru.nl (kookpunt.science.ru.nl [131.174.30.61]) by rustug.science.ru.nl (8.13.7/5.30) with ESMTP id nAUADbbE008138 for ; Mon, 30 Nov 2009 11:13:37 +0100 (MET) Received: from fourquid.cs.ru.nl (fourquid.cs.ru.nl [131.174.31.43]) by kookpunt.science.ru.nl (8.13.7/5.30) with ESMTP id nAUADV8q011366; Mon, 30 Nov 2009 11:13:32 +0100 (MET) Received: by fourquid.cs.ru.nl (Postfix, from userid 4100) id E857AD4C1E; Mon, 30 Nov 2009 11:13:31 +0100 (CET) Message-Id: <20091130101331.E857AD4C1E@fourquid.cs.ru.nl> Date: Mon, 30 Nov 2009 11:13:31 +0100 (CET) From: Olaf Seibert To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: olafs@cs.ru.nl Subject: bin/141016: PAM checks in sshd too few? X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Olaf Seibert List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Nov 2009 10:40:02 -0000 >Number: 141016 >Category: bin >Synopsis: PAM checks in sshd too few? >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Mon Nov 30 10:40:00 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Olaf Seibert >Release: FreeBSD 8.0-RC2 amd64 >Organization: >Environment: System: FreeBSD fourquid.cs.ru.nl 8.0-RC2 FreeBSD 8.0-RC2 #3: Mon Nov 2 12:56:50 CET 2009 root@fourquid.cs.ru.nl:/usr/src/sys/amd64/compile/FOURQUID amd64 >Description: I use port security/pam_af to help me against brute force login attacks. I use it both on FreeBSD and NetBSD. It works by being first in the "auth" list of the PAM config file. It hooks into pam_sm_authenticate(), where it registers a (potentially failed) login attempt. If the counter is too high, it blocks the login. Then later, if pam_am_setcred() is called, it registers the login attempt as success by resetting the login attempt counter. I have observed a significant difference in behaviour on both OSes, and I think FreeBSD is significantly less secure than it could (and should) be. Sshd is logging large amounts of login attempts. However, hardly any of the hosts involved end up blocked by pam_af. This can only mean that pam_sm_authenticate() isn't always called for all login attempts. It seems like it is only called for login attempts with actually existing users. NetBSD's sshd, on the other hand, nicely registers these attempts and blocks the offending hosts. In my opinion, it would be better if FreeBSD did the same. It would make tools like pam_af much more effective. I first noticed this on FreeBSD 6.1, but it is unchanged in 8.0. I notice another port, security/pam-abl, which at a glance appears to work similarly so it would fail similarly. >How-To-Repeat: Install security/pam_af and observe its statistics database. See that almost none of the hosts that sshd logs are in it. >Fix: Sorry, I don't know what diversion has grown between both *BSD's sshd. Diffs appear to be large though. -Olaf Seibert. -- >Release-Note: >Audit-Trail: >Unformatted: