Date: Sun, 10 Dec 2006 06:59:56 -0800 (PST) From: "Eugene M. Kim" <freebsd.org@ab.ote.we.lv> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/106564: [PATCH] security/pam_bsdbioapi always requires finger swiping Message-ID: <200612101459.kBAExun4000650@seerajeane.astralblue.net> Resent-Message-ID: <200612101530.kBAFUENC098035@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 106564
>Category: ports
>Synopsis: [PATCH] security/pam_bsdbioapi always requires finger swiping
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Sun Dec 10 15:30:09 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Eugene M. Kim
>Release: FreeBSD 7.0-CURRENT i386
>Organization:
>Environment:
System: FreeBSD seerajeane.astralblue.net 7.0-CURRENT FreeBSD 7.0-CURRENT #12: Fri Dec 1 05:37:54 PST 2006 ab@seerajeane.astralblue.net:/home/FreeBSD/build/MAIN/obj/home/FreeBSD/build/MAIN/src/sys/PL-SEERAJEANE i386
>Description:
The pam_bsdbioapi(8) module always prompts for finger swiping before
failing and proceeding to the next module, even when the user has not
enrolled yet.
>How-To-Repeat:
Enable pam_bsdbioapi(8) in /etc/pam.d/login, and try to login as a user
who has not enrolled yet; the module prompts as if the user is enrolled.
>Fix:
Add the following patch (in /usr/ports/security/pam_bsdbioapi/files for
example), then add -s option to the pam_bsdbioapi lines in /etc/pam.d/*:
-------------------- snip -------------------- snip --------------------
--- src/pam_bsdbioapi/pam_bsdbioapi.8 Thu Feb 23 06:15:13 2006
+++ src/pam_bsdbioapi/pam_bsdbioapi.8.new Sun Dec 10 06:36:31 2006
@@ -36,6 +36,7 @@
.Ar pam_bsdbioapi
.Ar bsp-uuid
.Ar backend
+.Op -s
.Op -f birdb-path
.Op -m message-file
.Sh DESCRIPTION
@@ -69,6 +70,12 @@
This option is required.
.Pp
.Bl -tag -width ".Fl m Ar message-file"
+.It Fl s
+Fail without prompting the user to swipe finger if the user has not enrolled
+yet.
+This is useful if only a handful of users has enrolled, but leaks whether the
+given user has enrolled, to whomever tries to authenticate as the user (e.g.
+an attacker outside).
.It Fl f Ar birdb-path
Specify an alternative path to the birdb.conf file for backend configuration.
The default is /usr/local/etc/birdb.conf
--- src/pam_bsdbioapi/pam_bsdbioapi.c Thu Feb 23 06:15:13 2006
+++ src/pam_bsdbioapi/pam_bsdbioapi.c.new Sun Dec 10 06:26:57 2006
@@ -215,7 +215,7 @@
int argc, const char *argv[])
{
const char *user, *bsp_id, *dbid, *conf, *msgfile;
- int error, pam_retval = PAM_AUTH_ERR;
+ int error, pam_retval = PAM_AUTH_ERR, skip_unenrolled;
BioAPI_HANDLE *handle;
struct birdb_rec keyrec, **recs;
struct birdb_mod *bm;
@@ -241,9 +241,10 @@
conf = DEFCONFPATH;
msgfile = NULL;
+ skip_unenrolled = 0;
optind = 2;
- while ((opt = getopt(argc, (char **)argv, "m:f:")) != -1) {
+ while ((opt = getopt(argc, (char **)argv, "m:f:s")) != -1) {
switch (opt) {
case 'm':
msgfile = argv[optind - 1];
@@ -253,6 +254,9 @@
conf = argv[optind - 1];
PAM_LOG("Got birdb configuration file: %s", conf);
break;
+ case 's':
+ skip_unenrolled = 1;
+ break;
}
}
@@ -271,7 +275,6 @@
PAM_LOG("Got user: %s", user);
setuid(euid);
- pam_info(pamh, "Initiating biometric authentication...");
error = bioapi_init();
if (error)
@@ -312,7 +315,8 @@
keyrec.br_key = (char *)user;
recs = birdb_backend_get(bm, bmh, &keyrec);
- if (recs != NULL) {
+ if (recs != NULL && (!skip_unenrolled || recs[0] != NULL)) {
+ pam_info(pamh, "Initiating biometric authentication...");
handle = bioapi_attach_bsp(bsp_id);
if (handle == NULL) {
PAM_VERBOSE_ERROR("Failed to attach the selected BSP");
-------------------- snip -------------------- snip --------------------
Note that the "skip-unenrolled" behavior is not enabled by default
because of security implications (see the new pam_bsdbioapi(8) manpage).
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200612101459.kBAExun4000650>