閱讀文章 - 看板 FB_security

發信人guy.helmer@palisadesystems.com (Guy Helmer),

看板FB_security

標題Possible pam_ssh bug?

發信站NCTU CS FreeBSD Server (Tue Nov 15 18:39:31 2011)

轉信站ptt!csnews.cs.nctu!news.cs.nctu!FreeBSD.cs.nctu!freebsd.org!owner-free

I have a shell user who is able to login to his accounts via sshd on = FreeBSD 8.2 using any password. The user had a .ssh/id_rsa and = ..ssh/id_rsa.pub key pair without a password but nullok was not = specified, so I think this should be considered a bug. During diagnosis, /etc/pam.d/sshd was configured for authentication = using:=20 ------------- auth required pam_ssh.so no_warn = try_first_pass ------------- I enabled _openpam_debug in pam_ssh and found this during a login via = sshd to the user's account: ------------- Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_ssh_load_key(): failed to = load key from /home/targetuser/.ssh/identity Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_ssh_load_key(): loaded = '/home/targetuser/.ssh/id_rsa' from /home/targetuser/.ssh/id_rsa Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_ssh_load_key(): failed to = load key from /home/targetuser/.ssh/id_dsa Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_sm_acct_mgmt(): Got user: = targetuser Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_sm_acct_mgmt(): Got user: = targetuser Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_sm_acct_mgmt(): Checking = login.access for user targetuser from host 172.16.1.240 Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_sm_acct_mgmt(): Got user: = targetuser Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_sm_acct_mgmt(): Got = login_cap ------------- The view from the client machine during the login: ------------- client:/usr/src/lib/libpam/modules/pam_ssh (557) ssh = targetuser@fbsd8-i386 SSH passphrase:=20 Last login: Tue Nov 15 08:39:28 2011 from 172.16.2.218 Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights = reserved. FreeBSD 8.2-RC3 (GENERIC) #0: Sat Jan 29 19:26:23 CST 2011 ------------- So, it asked for the target user's passphrase and successfully = authenticated with any password. I understand what happened but I'm = rather astonished by the result - I would not have expected pam_ssh to = have succeeded on a passwordless key file when a password was required = in the pam configuration file, based on the pam_ssh.8 man page: nullok Normally, keys with no passphrase are ignored for = authen- tication purposes. If this option is set, keys = with no passphrase will be taken into consideration, = allowing the user to log in with a blank password. Thoughts? Thanks, Guy Helmer -------- This message has been scanned by ComplianceSafe, powered by Palisade's PacketSure. _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"