From owner-freebsd-security@FreeBSD.ORG Sun Oct 27 18:11:14 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id AC27F90; Sun, 27 Oct 2013 18:11:14 +0000 (UTC) (envelope-from prvs=1012be9d42=killing@multiplay.co.uk) Received: from mail1.multiplay.co.uk (mail1.multiplay.co.uk [85.236.96.23]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 256FC24A1; Sun, 27 Oct 2013 18:11:13 +0000 (UTC) Received: from r2d2 ([82.69.179.245]) by mail1.multiplay.co.uk (mail1.multiplay.co.uk [85.236.96.23]) (MDaemon PRO v10.0.4) with ESMTP id md50006519606.msg; Sun, 27 Oct 2013 18:11:11 +0000 X-Spam-Processed: mail1.multiplay.co.uk, Sun, 27 Oct 2013 18:11:11 +0000 (not processed: message from valid local sender) X-MDDKIM-Result: neutral (mail1.multiplay.co.uk) X-MDRemoteIP: 82.69.179.245 X-Return-Path: prvs=1012be9d42=killing@multiplay.co.uk X-Envelope-From: killing@multiplay.co.uk Message-ID: <8D7C4A668063437DBEEA0D513D51B662@multiplay.co.uk> From: "Steven Hartland" To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= , "Carlo Strub" References: <20131023135408.38752099@azsupport.com> <1382529986.729788.498652166.90148.2@c-st.net> <86y55emw8a.fsf@nine.des.no> Subject: Re: OpenPAM/SSHD privacy hole (FreeBSD 9.2+ affected) Date: Sun, 27 Oct 2013 18:11:15 -0000 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="utf-8"; reply-type=original Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.5931 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157 Cc: freebsd-security@freebsd.org, az@azsupport.com X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Oct 2013 18:11:14 -0000 ----- Original Message ----- From: "Dag-Erling Smørgrav" > Carlo Strub writes: >> Andrei writes: >>> I found that in the new FreeBSD 9.2 (probably in 10 also) updated >>> OpenPAM sources. The big embarrassment was in pam_get_authtok.c. The >>> problem is that even without a valid SSH login it's possible to know >>> the server's hostname. >> I agree. That looks like an unnecessary privacy violation to me. What >> do you think des@? > > No. This is intentional, and I will not change it. If you don't like > it, you can override the default prompt in your PAM policy; see the > pam_get_authtok() man page for details. Out of curiosity whats the reasoning behind it doing things? Regards Steve ================================================ This e.mail is private and confidential between Multiplay (UK) Ltd. and the person or entity to whom it is addressed. In the event of misdirection, the recipient is prohibited from using, copying, printing or otherwise disseminating it or any information contained in it. In the event of misdirection, illegible or incomplete transmission please telephone +44 845 868 1337 or return the E.mail to postmaster@multiplay.co.uk.