Date: Thu, 19 May 2005 10:11:48 +0930 From: "Daniel O'Connor" <doconnor@gsoft.com.au> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/81231: Patch pam_ssh to reject keys with no passphrase by default Message-ID: <200505191011.49286.doconnor@gsoft.com.au> Resent-Message-ID: <200505190050.j4J0o2PD087301@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 81231 >Category: bin >Synopsis: Patch pam_ssh to reject keys with no passphrase by default >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu May 19 00:50:02 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Daniel O'Connor >Release: FreeBSD 6.0-CURRENT i386 >Organization: >Environment: System: FreeBSD inchoate.localdomain 6.0-CURRENT FreeBSD 6.0-CURRENT #0: Tue May 3 01:14:04 CST 2005 darius@inchoate.localdomain:/usr/obj/usr/src/sys/INCHOATE i386 >Description: Currently pam_ssh will allow a user to login with any password if they have a key file with no passphrase. >How-To-Repeat: Change your passphrase to nothing & enable pam_ssh. You will be able to login with any password. >Fix: This patch make pam_ssh ignore keys with no passphrase unless the nullok option is supplied. http://www.gsoft.com.au/~doconnor/pam_ssh-nullpass.diff # This is a shell archive. Save it in a file, remove anything before # this line, and then unpack it by entering "sh file". Note, it may # create directories; files and directories will be owned by you and # have default permissions. # # This archive contains: # # pam_ssh-nullpass.diff # echo x - pam_ssh-nullpass.diff sed 's/^X//' >pam_ssh-nullpass.diff << 'END-of-pam_ssh-nullpass.diff' XIndex: lib/libpam/modules/pam_ssh/pam_ssh.8 X=================================================================== XRCS file: /usr/CVS-Repository/src/lib/libpam/modules/pam_ssh/pam_ssh.8,v Xretrieving revision 1.13 Xdiff -u -r1.13 pam_ssh.8 X--- lib/libpam/modules/pam_ssh/pam_ssh.8 2 Jul 2004 23:52:18 -0000 1.13 X+++ lib/libpam/modules/pam_ssh/pam_ssh.8 19 May 2005 00:13:20 -0000 X@@ -93,6 +93,10 @@ X option, X except that if the previously obtained password fails, X the user is prompted for another password. X+.It Cm nullok X+If this option is set then pam_ssh will consider keys with X+no passphrase. Normally it will ignore those keys for the X+purposes of authentication. X .El X .Ss SSH Session Management Module X The XIndex: lib/libpam/modules/pam_ssh/pam_ssh.c X=================================================================== XRCS file: /usr/CVS-Repository/src/lib/libpam/modules/pam_ssh/pam_ssh.c,v Xretrieving revision 1.40 Xdiff -u -r1.40 pam_ssh.c X--- lib/libpam/modules/pam_ssh/pam_ssh.c 10 Feb 2004 10:13:21 -0000 1.40 X+++ lib/libpam/modules/pam_ssh/pam_ssh.c 19 May 2005 00:17:49 -0000 X@@ -87,7 +87,7 @@ X * struct pam_ssh_key containing the key and its comment. X */ X static struct pam_ssh_key * X-pam_ssh_load_key(const char *dir, const char *kfn, const char *passphrase) X+pam_ssh_load_key(const char *dir, const char *kfn, const char *passphrase, int nullok) X { X struct pam_ssh_key *psk; X char fn[PATH_MAX]; X@@ -97,6 +97,22 @@ X if (snprintf(fn, sizeof(fn), "%s/%s", dir, kfn) > (int)sizeof(fn)) X return (NULL); X comment = NULL; X+ X+ /* Test if the key is loadable with no passphrase */ X+ if ((key = key_load_private(fn, "", &comment)) != NULL) { X+ free(comment); X+ key_free(key); X+ } X+ X+ /* If nullok is set check that the passphrase we got from the user is X+ * null since SSH will ignore the passphrase we pass in if there is no X+ * passphrase on the key so if we don't check that what is passed in X+ * is empty the user will be able to login with *any* password(!) X+ */ X+ if (!(nullok && passphrase[0] == '\0') && key != NULL) { X+ openpam_log(PAM_LOG_NOTICE, "null passphrase was found, refusing to continue\n"); X+ return (NULL); X+ } X key = key_load_private(fn, passphrase, &comment); X if (key == NULL) { X openpam_log(PAM_LOG_DEBUG, "failed to load key from %s\n", fn); X@@ -136,11 +152,16 @@ X const char **kfn, *passphrase, *user; X struct passwd *pwd; X struct pam_ssh_key *psk; X- int nkeys, pam_err, pass; X+ int nkeys, pam_err, pass, nullok; X X /* PEM is not loaded by default */ X OpenSSL_add_all_algorithms(); X X+ if (openpam_get_option(pamh, "nullok") != NULL) X+ nullok = 1; X+ else X+ nullok = 0; X+ X /* get user name and home directory */ X pam_err = pam_get_user(pamh, &user, NULL); X if (pam_err != PAM_SUCCESS) X@@ -170,7 +191,7 @@ X /* try to load keys from all keyfiles we know of */ X nkeys = 0; X for (kfn = pam_ssh_keyfiles; *kfn != NULL; ++kfn) { X- psk = pam_ssh_load_key(pwd->pw_dir, *kfn, passphrase); X+ psk = pam_ssh_load_key(pwd->pw_dir, *kfn, passphrase, nullok); X if (psk != NULL) { X pam_set_data(pamh, *kfn, psk, pam_ssh_free_key); X ++nkeys; END-of-pam_ssh-nullpass.diff exit >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200505191011.49286.doconnor>