Date: Sun, 10 Dec 2006 06:59:56 -0800 (PST) From: "Eugene M. Kim" <freebsd.org@ab.ote.we.lv> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/106564: [PATCH] security/pam_bsdbioapi always requires finger swiping Message-ID: <200612101459.kBAExun4000650@seerajeane.astralblue.net> Resent-Message-ID: <200612101530.kBAFUENC098035@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 106564 >Category: ports >Synopsis: [PATCH] security/pam_bsdbioapi always requires finger swiping >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Sun Dec 10 15:30:09 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Eugene M. Kim >Release: FreeBSD 7.0-CURRENT i386 >Organization: >Environment: System: FreeBSD seerajeane.astralblue.net 7.0-CURRENT FreeBSD 7.0-CURRENT #12: Fri Dec 1 05:37:54 PST 2006 ab@seerajeane.astralblue.net:/home/FreeBSD/build/MAIN/obj/home/FreeBSD/build/MAIN/src/sys/PL-SEERAJEANE i386 >Description: The pam_bsdbioapi(8) module always prompts for finger swiping before failing and proceeding to the next module, even when the user has not enrolled yet. >How-To-Repeat: Enable pam_bsdbioapi(8) in /etc/pam.d/login, and try to login as a user who has not enrolled yet; the module prompts as if the user is enrolled. >Fix: Add the following patch (in /usr/ports/security/pam_bsdbioapi/files for example), then add -s option to the pam_bsdbioapi lines in /etc/pam.d/*: -------------------- snip -------------------- snip -------------------- --- src/pam_bsdbioapi/pam_bsdbioapi.8 Thu Feb 23 06:15:13 2006 +++ src/pam_bsdbioapi/pam_bsdbioapi.8.new Sun Dec 10 06:36:31 2006 @@ -36,6 +36,7 @@ .Ar pam_bsdbioapi .Ar bsp-uuid .Ar backend +.Op -s .Op -f birdb-path .Op -m message-file .Sh DESCRIPTION @@ -69,6 +70,12 @@ This option is required. .Pp .Bl -tag -width ".Fl m Ar message-file" +.It Fl s +Fail without prompting the user to swipe finger if the user has not enrolled +yet. +This is useful if only a handful of users has enrolled, but leaks whether the +given user has enrolled, to whomever tries to authenticate as the user (e.g. +an attacker outside). .It Fl f Ar birdb-path Specify an alternative path to the birdb.conf file for backend configuration. The default is /usr/local/etc/birdb.conf --- src/pam_bsdbioapi/pam_bsdbioapi.c Thu Feb 23 06:15:13 2006 +++ src/pam_bsdbioapi/pam_bsdbioapi.c.new Sun Dec 10 06:26:57 2006 @@ -215,7 +215,7 @@ int argc, const char *argv[]) { const char *user, *bsp_id, *dbid, *conf, *msgfile; - int error, pam_retval = PAM_AUTH_ERR; + int error, pam_retval = PAM_AUTH_ERR, skip_unenrolled; BioAPI_HANDLE *handle; struct birdb_rec keyrec, **recs; struct birdb_mod *bm; @@ -241,9 +241,10 @@ conf = DEFCONFPATH; msgfile = NULL; + skip_unenrolled = 0; optind = 2; - while ((opt = getopt(argc, (char **)argv, "m:f:")) != -1) { + while ((opt = getopt(argc, (char **)argv, "m:f:s")) != -1) { switch (opt) { case 'm': msgfile = argv[optind - 1]; @@ -253,6 +254,9 @@ conf = argv[optind - 1]; PAM_LOG("Got birdb configuration file: %s", conf); break; + case 's': + skip_unenrolled = 1; + break; } } @@ -271,7 +275,6 @@ PAM_LOG("Got user: %s", user); setuid(euid); - pam_info(pamh, "Initiating biometric authentication..."); error = bioapi_init(); if (error) @@ -312,7 +315,8 @@ keyrec.br_key = (char *)user; recs = birdb_backend_get(bm, bmh, &keyrec); - if (recs != NULL) { + if (recs != NULL && (!skip_unenrolled || recs[0] != NULL)) { + pam_info(pamh, "Initiating biometric authentication..."); handle = bioapi_attach_bsp(bsp_id); if (handle == NULL) { PAM_VERBOSE_ERROR("Failed to attach the selected BSP"); -------------------- snip -------------------- snip -------------------- Note that the "skip-unenrolled" behavior is not enabled by default because of security implications (see the new pam_bsdbioapi(8) manpage). >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200612101459.kBAExun4000650>