OpenPAM/SSHD privacy hole (FreeBSD 9.2+ affected)

Steven Hartland killing at multiplay.co.uk
Sun Oct 27 18:24:27 UTC 2013


----- Original Message ----- 
From: "Steven Hartland" <killing at multiplay.co.uk>
> ----- Original Message ----- 
> From: "Dag-Erling Smørgrav" <des at des.no>
>> Carlo Strub <cs at FreeBSD.org> writes:
>>> Andrei <az at azsupport.com> writes:
>>>> I found that in the new FreeBSD 9.2 (probably in 10 also) updated
>>>> OpenPAM sources.  The big embarrassment was in pam_get_authtok.c. The
>>>> problem is that even without a valid SSH login it's possible to know
>>>> the server's hostname.
>>> I agree. That looks like an unnecessary privacy violation to me. What
>>> do you think des@?
>>
>> No.  This is intentional, and I will not change it.  If you don't like
>> it, you can override the default prompt in your PAM policy; see the
>> pam_get_authtok() man page for details.
>
> Out of curiosity whats the reasoning behind it doing things?

That was meant to say doing "this" not things?

    Regards
    Steve 


================================================
This e.mail is private and confidential between Multiplay (UK) Ltd. and the person or entity to whom it is addressed. In the event of misdirection, the recipient is prohibited from using, copying, printing or otherwise disseminating it or any information contained in it. 

In the event of misdirection, illegible or incomplete transmission please telephone +44 845 868 1337
or return the E.mail to postmaster at multiplay.co.uk.



More information about the freebsd-security mailing list