Date: Wed, 23 Oct 2013 13:54:08 +0200 From: Andrei <az@azsupport.com> To: freebsd-security@freebsd.org Subject: OpenPAM/SSHD privacy hole (FreeBSD 9.2+ affected) Message-ID: <20131023135408.38752099@azsupport.com>
next in thread | raw e-mail | index | archive | help
Hello, I found that in the new FreeBSD 9.2 (probably in 10 also) updated OpenPAM sources. The big embarrassment was in pam_get_authtok.c. The problem is that even without a valid SSH login it's possible to know the server's hostname. az@az:/home/az % ssh 1.2.3.4 Password for az@real.hostname.com: Changes made by "des": http://www.openpam.org/changeset/510/openpam/trunk/lib I really do not think that this behavior must be present! I ask the community to pay attention to it and remove these harmful changes. Kind regards, Andrei.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20131023135408.38752099>