OpenPAM/SSHD privacy hole (FreeBSD 9.2+ affected)
Andrei
az at azsupport.com
Sun Oct 27 18:58:05 UTC 2013
On Sun, 27 Oct 2013 18:58:45 +0100
Dag-Erling Smørgrav <des at des.no> wrote:
> >> I found that in the new FreeBSD 9.2 (probably in 10 also) updated
> >> OpenPAM sources. The big embarrassment was in pam_get_authtok.c.
> >> The problem is that even without a valid SSH login it's possible
> >> to know the server's hostname.
> > I agree. That looks like an unnecessary privacy violation to me.
> > What do you think des@?
>
> No. This is intentional, and I will not change it. If you don't like
> it, you can override the default prompt in your PAM policy; see the
> pam_get_authtok() man page for details.
In /etc/pam.d/sshd from:
auth required pam_unix.so no_warn try_first_pass
to:
auth required pam_unix.so no_warn try_first_pass authtok_prompt
Right?
Kind regards,
Andrei.
More information about the freebsd-security
mailing list