| Summary: | keyboard-interactive/pam leaks info about user existence | ||
|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Darren Tucker <dtucker> |
| Component: | PAM support | Assignee: | OpenSSH Bugzilla mailing list <openssh-bugs> |
| Status: | CLOSED FIXED | ||
| Severity: | normal | ||
| Priority: | P2 | ||
| Version: | -current | ||
| Hardware: | All | ||
| OS: | All | ||
| URL: | http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=281595 | ||
| Bug Depends on: | |||
| Bug Blocks: | 701, 914 | ||
| Attachments: | |||
|
Description
Darren Tucker
2005-01-11 18:06:49 AEDT
Created attachment 765 [details]
Make kbdint code call driver even for non-existent users
Created attachment 766 [details]
Feed bogus input to PAM for invalid logins
Note: you will need to apply *both* patches (#765 and #766) to completely fix
the problem.
Patch #766 partially by Colin Watson.
Created attachment 771 [details]
Make kbdint call driver even for invalid logins
Instead of always continuing, this patch now leaves it up to the individual
drivers and adds a authctxt->valid check to bsdauth to maintain the current
behavior for it.
This is now fixed in -current and the 3.9 branch: - (dtucker) [auth-pam.c] Bug #971: Prevent leaking information about user existence via keyboard-interactive/pam, in conjunction with previous auth2-chall.c change; with Colin Watson and djm. Created attachment 775 [details]
Patch for Kerberos timing difference for Valid and Invalid user
For PAM-Passwd Authentication with KerberosAuthentication being set to yes,
there exists a time difference for valid user and invalid user. The attached
patch fixes that.
With the release of OpenSSH 4.0, these bugs are now closed. For details, see: http://www.openssh.com/txt/release-4.0 |