misc/126650: pam_unix.so silently fails authenticating as non-root
user
Aaron Scarisbrick
aaronsca at gmail.com
Tue Aug 19 04:30:03 UTC 2008
>Number: 126650
>Category: misc
>Synopsis: pam_unix.so silently fails authenticating as non-root user
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Tue Aug 19 04:30:02 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Aaron Scarisbrick
>Release: 7.0-RELEASE-p3
>Organization:
>Environment:
FreeBSD nostromo.scarisbrick.org 7.0-RELEASE-p3 FreeBSD 7.0-RELEASE-p3 #3: Mon Jul 14 21:08:48 GMT 2008 root at nostromo.scarisbrick.org:/usr/src/sys/i386/compile/CUSTOM i386
>Description:
In trying to get /usr/ports/net/tac_plus4 to use PAM, it would silently fail authenticating against the pam_unix.so module. The root cause was that tac_plus was not running as root, and the getpwnam() function called by the pam_unix.so module would return a struct without a password to compare and always fail (i.e. PAM_AUTH_ERR). This made it always appear as though an incorrect password was entered, even though there was no way to verify whether it was or not.
>How-To-Repeat:
Install /usr/ports/net/tac_plus4 without OPIE or SKEY.
Configure /etc/pam.d/tac_plus to use pam_unix.so auth.
Configure /usr/local/etc/tac_plus.conf to use PAM login.
Configure /etc/rc.conf to allow tac_plus service.
Start tac_plus service via /usr/local/etc/rc.d/tac_plus
Configure NAS to use shiny new tac_plus service.
Attempt authentication on NAS.
Curse.
Lather, rinse, repeat.
>Fix:
Applying the attached patch to /usr/src/lib/libpam/modules/pam_unix/pam_unix.c should explicitly call out when a service is using the pam_unix.so module incorrectly (e.g. as a non-root user). It only reports the more descriptive error message if the password is NULL and the effective user id is not root.
Patch attached with submission follows:
--- pam_unix.c.orig 2008-08-19 03:16:47.000000000 +0000
+++ pam_unix.c 2008-08-19 03:51:04.000000000 +0000
@@ -129,6 +129,10 @@
if (strcmp(crypt(pass, realpw), realpw) == 0)
return (PAM_SUCCESS);
+ if (strcmp(realpw, "*") == 0 && geteuid() != 0) {
+ PAM_VERBOSE_ERROR("UNIX password field readable only by root");
+ return (PAM_CRED_UNAVAIL);
+ }
PAM_VERBOSE_ERROR("UNIX authentication refused");
return (PAM_AUTH_ERR);
}
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list