PAM module does not report insufficient remaining passwords
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
otpw (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
NOTE: Potential denial-of-service vulnerability. See details below.
According to the otpw.html file distributed with the libpam-otpw package:
"If after otpw_verify() has returned, the condition ch.entries > 2 * ch.remaining is true and half of all passwords have been used, the user should be remembered to generate a new password list by executing otpw-gen."
With the following PAM settings included in /etc/pam.d/sshd:
auth sufficient pam_otpw.so
session optional pam_otpw.so
this doesn't happen. In fact, it's possible to completely run out of one-time passwords without warning. This is a security vulnerability insofar as it can lead to denial-of-service if OTPs are silently exhausted, especially when alternatives to ChallengeRespon
Expected behavior is for the PAM module to squawk at the user when remaining passwords are less than 50% of those generated, or less than some minimum value (e.g. some reasonable number that would provide random selection even in the face of the race-for-
ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: libpam-otpw 1.3-2ubuntu1
ProcVersionSign
Uname: Linux 3.0.0-16-generic x86_64
NonfreeKernelMo
ApportVersion: 1.23-0ubuntu4
Architecture: amd64
Date: Sat Feb 18 05:32:30 2012
EcryptfsInUse: Yes
InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Release amd64 (20111012)
SourcePackage: otpw
UpgradeStatus: No upgrade log present (probably fresh install)
Changed in otpw (Ubuntu): | |
status: | New → Confirmed |
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https:/ /wiki.ubuntu. com/SecurityTea m/UpdateProcedu res