Ubuntu
openssh package

Bug #10334
Comment #8

Comment 8 for bug 10334

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2004-11-27:

Message-ID: <email address hidden>
Date: Sat, 27 Nov 2004 17:26:50 +0000
From: Colin Watson <email address hidden>
To: Darren Tucker <email address hidden>
Cc: Joey Hess <email address hidden>, <email address hidden>
Subject: Re: Bug#281595: timing attack allows attacker to determine valid usernames

--SLDf9lqlvOQaIe6s
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Sat, Nov 20, 2004 at 01:51:55PM +1100, Darren Tucker wrote:
> No, it's not fixed in 3.9p1.
>
> The problem is not exactly the same, though. In this case, it's partly
> because the keyboard-interactive code doesn't call the kbdint driver at
> all in this case. The first attached patch ought to fix that.
>
> With that fixed, a change to the PAM code is required because it will
> complete for a real user with their real password if, eg they are listed
> in DenyUsers. This will result in the PAM code getting out of sync with
> the kbdint code, resulting in the authentication hanging. The second
> patch ought to fix that.
>
> I haven't done much testing of either patch, so please let me know how
> they go.

Thanks for this. I've backported these to 3.8.1p1, which didn't have PAM
PasswordAuthentication; the patch is attached. It seems to work for me.
After a bit more testing I'll upload this to unstable.

Cheers,

--
Colin Watson [<email address hidden>]

--SLDf9lqlvOQaIe6s
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="openssh-kbdint-authfix.patch"

/* Some PAM implementations don't implement this */
#ifndef HAVE_PAM_GETENVLIST
@@ -644,7 +645,10 @@ sshpam_respond(void *ctx, u_int num, cha
   return (-1);
  }
  buffer_init(&buffer);
- buffer_put_cstring(&buffer, *resp);
+ if (sshpam_authctxt->valid)
+ buffer_put_cstring(&buffer, *resp);
+ else
+ buffer_put_cstring(&buffer, badpw);
  if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) {
   buffer_free(&buffer);
   return (-1);
Index: auth2-chall.c
===================================================================
RCS file: /home/cjwatson/cvs/openssh/openssh/auth2-chall.c,v
retrieving revision 1.1.1.3
diff -p -u -r1.1.1.3 auth2-chall.c
--- auth2-chall.c 17 Sep 2003 00:31:55 -0000 1.1.1.3
+++ auth2-chall.c 27 Nov 2004 17:25:57 -0000
@@ -275,12 +275,9 @@ input_userauth_info_response(int type, u
  }
  packet_check_eom();

- if (authctxt->valid) {
- res = kbdintctxt->device->respond(kbdintctxt->ctxt,
- nresp, response);
- } else {
- res = -1;
- }
+ res = kbdintctxt->device->respond(kbdintctxt->ctxt, nresp, response);
+ if (!authctxt->valid)
+ res = 1; /* keep going if login invalid */

  for (i = 0; i < nresp; i++) {
   memset(response[i], 'r', strlen(response[i]));
@@ -292,7 +289,7 @@ input_userauth_info_response(int type, u
  switch (res) {
  case 0:
   /* Success! */
- authenticated = 1;
+ authenticated = authctxt->valid ? 1 : 0;
   break;
  case 1:
   /* Authentication needs further interaction */
Index: debian/changelog
===================================================================
RCS file: /home/cjwatson/cvs/openssh/openssh/debian/changelog,v
retrieving revision 1.108
diff -p -u -r1.108 changelog
--- debian/changelog 12 Nov 2004 11:17:20 -0000 1.108
+++ debian/changelog 27 Nov 2004 17:25:57 -0000
@@ -1,3 +1,11 @@
+openssh (1:3.8.1p1-8.sarge.4) UNRELEASED; urgency=low
+
+ * Fix timing information leak allowing discovery of invalid usernames in
+ PAM keyboard-interactive authentication (backported from a patch by
+ Darren Tucker; closes: #281595).
+
+ -- Colin Watson <email address hidden> Sat, 27 Nov 2004 16:19:21 +0000
+
openssh (1:3.8.1p1-8.sarge.3) unstable; urgency=low

* Enable threading for PAM, on Sam Hartman's advice (closes: #278394).

--SLDf9lqlvOQaIe6s--

Message-ID: <20041127172650.GA28892@riva.ucam.org>
Date: Sat, 27 Nov 2004 17:26:50 +0000
From: Colin Watson <cjwatson@debian.org>
To: Darren Tucker <dtucker@zip.com.au>
Cc: Joey Hess <joeyh@debian.org>, 281595@bugs.debian.org
Subject: Re: Bug#281595: timing attack allows attacker to determine valid usernames

--SLDf9lqlvOQaIe6s
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Sat, Nov 20, 2004 at 01:51:55PM +1100, Darren Tucker wrote:
> No, it's not fixed in 3.9p1.
> 
> The problem is not exactly the same, though.  In this case, it's partly 
> because the keyboard-interactive code doesn't call the kbdint driver at 
> all in this case.  The first attached patch ought to fix that.
> 
> With that fixed, a change to the PAM code is required because it will 
> complete for a real user with their real password if, eg they are listed 
> in DenyUsers.  This will result in the PAM code getting out of sync with 
> the kbdint code, resulting in the authentication hanging.  The second 
> patch ought to fix that.
> 
> I haven't done much testing of either patch, so please let me know how 
> they go.

Thanks for this. I've backported these to 3.8.1p1, which didn't have PAM
PasswordAuthentication; the patch is attached. It seems to work for me.
After a bit more testing I'll upload this to unstable.

Cheers,

-- 
Colin Watson                                       [cjwatson@debian.org]

--SLDf9lqlvOQaIe6s
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="openssh-kbdint-authfix.patch"

Index: auth-pam.c
===================================================================
RCS file: /home/cjwatson/cvs/openssh/openssh/auth-pam.c,v
retrieving revision 1.10
diff -p -u -r1.10 auth-pam.c
--- auth-pam.c	10 Jul 2004 12:36:49 -0000	1.10
+++ auth-pam.c	27 Nov 2004 17:25:56 -0000
@@ -169,6 +169,7 @@ static int sshpam_cred_established = 0;
 static int sshpam_account_status = -1;
 static char **sshpam_env = NULL;
 static Authctxt *sshpam_authctxt = NULL;
+static char badpw[] = "\b\n\r\177INCORRECT";
 
 /* Some PAM implementations don't implement this */
 #ifndef HAVE_PAM_GETENVLIST
@@ -644,7 +645,10 @@ sshpam_respond(void *ctx, u_int num, cha
 		return (-1);
 	}
 	buffer_init(&buffer);
-	buffer_put_cstring(&buffer, *resp);
+	if (sshpam_authctxt->valid)
+		buffer_put_cstring(&buffer, *resp);
+	else
+		buffer_put_cstring(&buffer, badpw);
 	if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) {
 		buffer_free(&buffer);
 		return (-1);
Index: auth2-chall.c
===================================================================
RCS file: /home/cjwatson/cvs/openssh/openssh/auth2-chall.c,v
retrieving revision 1.1.1.3
diff -p -u -r1.1.1.3 auth2-chall.c
--- auth2-chall.c	17 Sep 2003 00:31:55 -0000	1.1.1.3
+++ auth2-chall.c	27 Nov 2004 17:25:57 -0000
@@ -275,12 +275,9 @@ input_userauth_info_response(int type, u
 	}
 	packet_check_eom();
 
-	if (authctxt->valid) {
-		res = kbdintctxt->device->respond(kbdintctxt->ctxt,
-		    nresp, response);
-	} else {
-		res = -1;
-	}
+	res = kbdintctxt->device->respond(kbdintctxt->ctxt, nresp, response);
+	if (!authctxt->valid)
+		res = 1;	/* keep going if login invalid */
 
 	for (i = 0; i < nresp; i++) {
 		memset(response[i], 'r', strlen(response[i]));
@@ -292,7 +289,7 @@ input_userauth_info_response(int type, u
 	switch (res) {
 	case 0:
 		/* Success! */
-		authenticated = 1;
+		authenticated = authctxt->valid ? 1 : 0;
 		break;
 	case 1:
 		/* Authentication needs further interaction */
Index: debian/changelog
===================================================================
RCS file: /home/cjwatson/cvs/openssh/openssh/debian/changelog,v
retrieving revision 1.108
diff -p -u -r1.108 changelog
--- debian/changelog	12 Nov 2004 11:17:20 -0000	1.108
+++ debian/changelog	27 Nov 2004 17:25:57 -0000
@@ -1,3 +1,11 @@
+openssh (1:3.8.1p1-8.sarge.4) UNRELEASED; urgency=low
+
+  * Fix timing information leak allowing discovery of invalid usernames in
+    PAM keyboard-interactive authentication (backported from a patch by
+    Darren Tucker; closes: #281595).
+
+ -- Colin Watson <cjwatson@debian.org>  Sat, 27 Nov 2004 16:19:21 +0000
+
 openssh (1:3.8.1p1-8.sarge.3) unstable; urgency=low
 
   * Enable threading for PAM, on Sam Hartman's advice (closes: #278394).

--SLDf9lqlvOQaIe6s--

Ubuntuopenssh package

Comment 8 for bug 10334

Ubuntu
openssh package