OpenPAM/SSHD privacy hole (FreeBSD 9.2+ affected)
Andrei
az at azsupport.com
Wed Oct 23 11:54:12 UTC 2013
Hello,
I found that in the new FreeBSD 9.2 (probably in 10 also) updated OpenPAM sources.
The big embarrassment was in pam_get_authtok.c. The problem is that even without a
valid SSH login it's possible to know the server's hostname.
az at az:/home/az % ssh 1.2.3.4
Password for az at real.hostname.com:
Changes made by "des": http://www.openpam.org/changeset/510/openpam/trunk/lib
I really do not think that this behavior must be present! I ask the community to pay
attention to it and remove these harmful changes.
Kind regards,
Andrei.
More information about the freebsd-security
mailing list