Colin Watson wrote:
> 20040530
> [...]
> - (dtucker) [auth-pam.c] Use an invalid password for root if
> PermitRootLogin != yes or the login is invalid, to prevent leaking
> information. Based on Openwall's owl-always-auth patch. ok djm@
>
> However, that's only PAM password authentication, and
> keyboard-interactive is relevant too. Darren, do you happen to know if
> kbdint has been fixed in the same way in 3.9p1? I don't see anything
> obvious in CVS.
No, it's not fixed in 3.9p1.
The problem is not exactly the same, though. In this case, it's partly
because the keyboard-interactive code doesn't call the kbdint driver at
all in this case. The first attached patch ought to fix that.
With that fixed, a change to the PAM code is required because it will
complete for a real user with their real password if, eg they are listed
in DenyUsers. This will result in the PAM code getting out of sync with
the kbdint code, resulting in the authentication hanging. The second
patch ought to fix that.
I haven't done much testing of either patch, so please let me know how
they go.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
Message-ID: <email address hidden>
Date: Sat, 20 Nov 2004 13:51:55 +1100
From: Darren Tucker <email address hidden>
To: Colin Watson <email address hidden>
CC: Joey Hess <email address hidden>, <email address hidden>
Subject: Re: Bug#281595: timing attack allows attacker to determine valid
usernames
------- ------- 070401050908060 001080903 Transfer- Encoding: 7bit
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-
Colin Watson wrote: interactive is relevant too. Darren, do you happen to know if
> 20040530
> [...]
> - (dtucker) [auth-pam.c] Use an invalid password for root if
> PermitRootLogin != yes or the login is invalid, to prevent leaking
> information. Based on Openwall's owl-always-auth patch. ok djm@
>
> However, that's only PAM password authentication, and
> keyboard-
> kbdint has been fixed in the same way in 3.9p1? I don't see anything
> obvious in CVS.
No, it's not fixed in 3.9p1.
The problem is not exactly the same, though. In this case, it's partly interactive code doesn't call the kbdint driver at
because the keyboard-
all in this case. The first attached patch ought to fix that.
With that fixed, a change to the PAM code is required because it will
complete for a real user with their real password if, eg they are listed
in DenyUsers. This will result in the PAM code getting out of sync with
the kbdint code, resulting in the authentication hanging. The second
patch ought to fix that.
I haven't done much testing of either patch, so please let me know how
they go.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
------- ------- 070401050908060 001080903 openbsd- sshd-kbdint- leak.patch" Transfer- Encoding: 7bit Disposition: inline; "openbsd- sshd-kbdint- leak.patch"
Content-Type: text/plain;
name="
Content-
Content-
filename=
Index: auth2-chall.c ======= ======= ======= ======= ======= ======= ======= ======= ==== usr.bin/ ssh/auth2- chall.c, v info_response( int type, u check_eom( );
=======
RCS file: /cvs/src/
retrieving revision 1.21
diff -u -p -r1.21 auth2-chall.c
--- auth2-chall.c 1 Jun 2004 14:20:45 -0000 1.21
+++ auth2-chall.c 6 Jul 2004 12:13:10 -0000
@@ -268,12 +268,9 @@ input_userauth_
}
packet_
- if (authctxt->valid) { >device- >respond( kbdintctxt- >ctxt, >device- >respond( kbdintctxt- >ctxt, nresp, response);
- res = kbdintctxt-
- nresp, response);
- } else {
- res = -1;
- }
+ res = kbdintctxt-
+ if (!authctxt->valid)
+ res = 1; /* keep going if login invalid */
for (i = 0; i < nresp; i++) { response[ i], 'r', strlen( response[ i])); info_response( int type, u
memset(
@@ -285,7 +282,7 @@ input_userauth_
switch (res) {
case 0:
/* Success! */
- authenticated = 1;
+ authenticated = authctxt->valid ? 1 : 0;
break;
case 1:
/* Authentication needs further interaction */
------- ------- 070401050908060 001080903 openssh- pam-kbdint- leak.patch" Transfer- Encoding: 7bit Disposition: inline; "openssh- pam-kbdint- leak.patch"
Content-Type: text/plain;
name="
Content-
Content-
filename=
Index: auth-pam.c ======= ======= ======= ======= ======= ======= ======= ======= ==== src/security/ openssh/ cvs/openssh_ cvs/auth- pam.c,v account_ status = -1; 177INCORRECT" ;
=======
RCS file: /usr/local/
retrieving revision 1.118
diff -u -p -r1.118 auth-pam.c
--- auth-pam.c 16 Oct 2004 08:52:44 -0000 1.118
+++ auth-pam.c 20 Nov 2004 02:40:58 -0000
@@ -186,6 +186,7 @@ static int sshpam_
static char **sshpam_env = NULL;
static Authctxt *sshpam_authctxt = NULL;
static const char *sshpam_password = NULL;
+static char badpw[] = "\b\n\r\
/* Some PAM implementations don't implement this */ init(&buffer) ; put_cstring( &buffer, *resp); authctxt- >valid) put_cstring( &buffer, *resp); put_cstring( &buffer, badpw); send(ctxt- >pam_psock, PAM_AUTHTOK, &buffer) == -1) { free(&buffer) ; auth_passwd( Authctxt *authctxt, c permit_ empty_passwd == 0 ? DISALLOW_ NULL_AUTHTOK : 0); 177INCORRECT" ;
#ifndef HAVE_PAM_GETENVLIST
@@ -746,7 +747,10 @@ sshpam_respond(void *ctx, u_int num, cha
return (-1);
}
buffer_
- buffer_
+ if (sshpam_
+ buffer_
+ else
+ buffer_
if (ssh_msg_
buffer_
return (-1);
@@ -1093,7 +1097,6 @@ sshpam_
{
int flags = (options.
PAM_
- static char badpw[] = "\b\n\r\
if (!options.use_pam || sshpam_handle == NULL)
fatal("PAM: %s called when PAM disabled or failed to "
------- ------- 070401050908060 001080903- -