current pam setup ignores everything (for example: bad passwords, configuration problems)

Bug #711770 reported by Valentijn Sessink
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pam (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

The current pam profiles mostly seem to say:

auth [success=$skipnum default=ignore]

This means that pam will happily try to validate your password against all the modules there are; in fact, it ignores wrong passwords, it ignores errors, acct_expired, maxtries, perm_denied and what not, in any of the modules. Given enough pam modules, your chances of being able to authorize could converge to 1 ;-)

This is the wrong way around. A user should be locked out if she is locked out in any of the authentication databases; she should be denied access if she guesses the wrong password in one of these databases.

There is a debian bug http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583492 that hints in this direction (in fact, it suggests a seemingly more appropriate [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad]), but this bug is not flagged as a security issue.

visibility: private → public
Revision history for this message
Steve Langasek (vorlon) wrote :

This is not a security issue. The default PAM stack is *deliberately* organized such that each module is tried in turn and any one succeeding authentication module is treated as a success for the whole stack.

If this is not the site policy you want, then you should use pam-auth-update to change which profiles are enabled. But the setup you describe is *not* the common case and is not what will be shipped by default in Ubuntu.

Changed in pam (Ubuntu):
status: New → Invalid
Revision history for this message
Valentijn Sessink (valentijn) wrote :

"Ignoring everything, except success" is the security issue.
I don't have anything against trying all modules, nor do I think that the "one succeeding module" is a security issue per se. But ignoring blatant errors, locked out users, wrong and/or expired passwords, that is a security issue.

May I kindly ask you to reconsider the "ignoring" part? After that, please feel free to ignore this bug report as well ;-)

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.