[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
system/2168: sshd permits random passwors on empty password accounts
>Number: 2168
>Category: system
>Synopsis: sshd permits random passwords on empty password accounts
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: bugs
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Nov 6 11:40:01 MST 2001
>Last-Modified:
>Originator: Jayaraj
>Organization:
Amrita Institute of Computer Technology
>Release: openssh2.9.9p2
>Environment:
System : Linux 2.4.2-2
Architecture: i686
Machine : i686
>Description:
The auth-pam.c of sshd server contains a small flaw that allows empty password
logins even if "PermitEmptyPasswords" option in the sshd config file is set to
"no". The scenario is as follows:
Using ssh the user tries to logon to the machine using an account that has empty
password. If the user presses enter on the password prompt (NULL password)
access is disallowed. However upon entry of any random string the user is
granted successful login.
In "auth_pam_password" function (auth_pam.c) the lines:
if(*password == '\0' && options.permit_empty_passwd == 0)
return 0;
disallows a login to an empty password account by providing empty password.
However if the user provides a random non-empty password the user is able to
login to an account that has empty password. This is because the
"pam_authenticate" function which is called from "do_pam_authenticate" is always
called with "flags" set to "0".
If the system PAM authentication configuration is tightened this can be
disallowed. However, since users rely on the SSH configuration this
non-intuitive and buggy behaviour may be dangerous and can even be used to set a
non-obvious trapdoor.
>How-To-Repeat:
The SSHD PAM configuration file must be the one that is shipped as a part of ssh
install. In the source package this file is "contrib/redhat/sshd.pam-7.x".
Since this file relies on system-auth file, a copy of the system-auth file in my
system (standard Redhat 7.1) is pasted below:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
(Note that this has nullok configuration)
Create an account that requires no password.
Using ssh logon to the machine using the empty password account name.
If the user presses enter on the password prompt (NULL password) access is
disallowed. However upon entry of any random string the user is allowed to
enter.
>Fix:
This problem can be overcome if "pam_authenticate" is called with
"PAM_DISALLOW_NULL_AUTHTOK" flag if empty passwords are not permitted.
A possible patch for the problem is given below:
*** auth-pam.c Tue Apr 24 00:08:37 2001
--- auth-amrita.c Tue Nov 6 22:58:46 2001
***************
*** 203,208 ****
--- 203,209 ----
{
extern ServerOptions options;
int pam_retval;
+ int flags=0;
do_pam_set_conv(&conv);
***************
*** 217,223 ****
__pampasswd = password;
pamstate = INITIAL_LOGIN;
! pam_retval = do_pam_authenticate(0);
if (pam_retval == PAM_SUCCESS) {
debug("PAM Password authentication accepted for "
"user \"%.100s\"", pw->pw_name);
--- 218,227 ----
__pampasswd = password;
pamstate = INITIAL_LOGIN;
! if ( options.permit_empty_passwd == 0 )
! flag = PAM_DISALLOW_NULL_AUTHTOK;
!
! pam_retval = do_pam_authenticate(flags);
if (pam_retval == PAM_SUCCESS) {
debug("PAM Password authentication accepted for "
"user \"%.100s\"", pw->pw_name);
>Audit-Trail:
>Unformatted: