Possible pam_ssh bug?
Dag-Erling Smørgrav
des at des.no
Tue Nov 15 21:12:48 UTC 2011
Guy Helmer <guy.helmer at palisadesystems.com> writes:
> I have a shell user who is able to login to his accounts via sshd on
> FreeBSD 8.2 using any password. The user had a .ssh/id_rsa and
> .ssh/id_rsa.pub key pair without a password but nullok was not
> specified, so I think this should be considered a bug.
It turns out that this goes all the way to OpenSSL, which ignores the
passphrase if the key is not encrypted. The only solution I can think
of - more of a workaround, really - is to first try to load the key with
an empty passphrase, and skip the key if that worked. See the attached
(untested) patch.
A more advanced patch would load all keys but require at least one of
them to have a passphrase.
DES
--
Dag-Erling Smørgrav - des at des.no
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pam_ssh_nullok.diff
Type: text/x-patch
Size: 1621 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20111115/7a9369ba/pam_ssh_nullok.bin
More information about the freebsd-security
mailing list