current pam setup ignores everything (for example: bad passwords, configuration problems)

Bug #711770 reported by Valentijn Sessink
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pam (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

The current pam profiles mostly seem to say:

auth [success=$skipnum default=ignore]

This means that pam will happily try to validate your password against all the modules there are; in fact, it ignores wrong passwords, it ignores errors, acct_expired, maxtries, perm_denied and what not, in any of the modules. Given enough pam modules, your chances of being able to authorize could converge to 1 ;-)

This is the wrong way around. A user should be locked out if she is locked out in any of the authentication databases; she should be denied access if she guesses the wrong password in one of these databases.

There is a debian bug http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583492 that hints in this direction (in fact, it suggests a seemingly more appropriate [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad]), but this bug is not flagged as a security issue.

visibility: private → public
Revision history for this message
Steve Langasek (vorlon) wrote :

This is not a security issue. The default PAM stack is *deliberately* organized such that each module is tried in turn and any one succeeding authentication module is treated as a success for the whole stack.

If this is not the site policy you want, then you should use pam-auth-update to change which profiles are enabled. But the setup you describe is *not* the common case and is not what will be shipped by default in Ubuntu.

Changed in pam (Ubuntu):
status: New → Invalid
Revision history for this message
Valentijn Sessink (valentijn) wrote :

"Ignoring everything, except success" is the security issue.
I don't have anything against trying all modules, nor do I think that the "one succeeding module" is a security issue per se. But ignoring blatant errors, locked out users, wrong and/or expired passwords, that is a security issue.

May I kindly ask you to reconsider the "ignoring" part? After that, please feel free to ignore this bug report as well ;-)

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers