OpenPAM/SSHD privacy hole (FreeBSD 9.2+ affected)
Patrick Proniewski
patpro at patpro.net
Sun Oct 27 22:09:39 UTC 2013
On 27 oct. 2013, at 22:50, Andrei wrote:
> On Sun, 27 Oct 2013 22:33:56 +0100
> Dag-Erling Smørgrav <des at des.no> wrote:
>
>> Andrei <az at azsupport.com> writes:
>>> In /etc/pam.d/sshd from:
>>> auth required pam_unix.so no_warn
>>> try_first_pass to:
>>> auth required pam_unix.so no_warn try_first_pass authtok_prompt
>>>
>>> Right?
>>
>> auth required pam_unix.so no_warn try_first_pass
>> authtok_prompt="Password:"
>>
>> BTW, I recently noticed that try_first_pass doesn't work as documented
>> (and hasn't for ten years), but I haven't had time to fix it yet.
>
> You might be surprised, but authtok_prompt="Password:" have same results as
> just authtok_prompt. Empty screen and no "Password:" prompt.
> FreeBSD 9.2 tested.
Same here (9.2-RELEASE amd64), whatever I put for authtok_prompt.
The end of a verbose attempt reads:
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
and then, nothing.
patpro
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4106 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20131027/4719b114/attachment.bin>
More information about the freebsd-security
mailing list