Date: Sun, 27 Oct 2013 18:11:15 -0000 From: "Steven Hartland" <killing@multiplay.co.uk> To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>, "Carlo Strub" <cs@FreeBSD.org> Cc: freebsd-security@freebsd.org, az@azsupport.com Subject: Re: OpenPAM/SSHD privacy hole (FreeBSD 9.2+ affected) Message-ID: <8D7C4A668063437DBEEA0D513D51B662@multiplay.co.uk> References: <20131023135408.38752099@azsupport.com> <1382529986.729788.498652166.90148.2@c-st.net> <86y55emw8a.fsf@nine.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message -----
From: "Dag-Erling Smørgrav" <des@des.no>
> Carlo Strub <cs@FreeBSD.org> writes:
>> Andrei <az@azsupport.com> writes:
>>> I found that in the new FreeBSD 9.2 (probably in 10 also) updated
>>> OpenPAM sources. The big embarrassment was in pam_get_authtok.c. The
>>> problem is that even without a valid SSH login it's possible to know
>>> the server's hostname.
>> I agree. That looks like an unnecessary privacy violation to me. What
>> do you think des@?
>
> No. This is intentional, and I will not change it. If you don't like
> it, you can override the default prompt in your PAM policy; see the
> pam_get_authtok() man page for details.
Out of curiosity whats the reasoning behind it doing things?
Regards
Steve
================================================
This e.mail is private and confidential between Multiplay (UK) Ltd. and the person or entity to whom it is addressed. In the event of misdirection, the recipient is prohibited from using, copying, printing or otherwise disseminating it or any information contained in it.
In the event of misdirection, illegible or incomplete transmission please telephone +44 845 868 1337
or return the E.mail to postmaster@multiplay.co.uk.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8D7C4A668063437DBEEA0D513D51B662>