Possible pam_ssh bug?

Guy Helmer guy.helmer at palisadesystems.com
Tue Nov 15 16:55:15 UTC 2011 

I have a shell user who is able to login to his accounts via sshd on FreeBSD 8.2 using any password. The user had a .ssh/id_rsa and .ssh/id_rsa.pub key pair without a password but nullok was not specified, so I think this should be considered a bug.

During diagnosis, /etc/pam.d/sshd was configured for authentication using: 

-------------
auth            required      pam_ssh.so              no_warn try_first_pass
-------------

I enabled _openpam_debug in pam_ssh and found this during a login via sshd to the user's account:

-------------
Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_ssh_load_key(): failed to load key from /home/targetuser/.ssh/identity
Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_ssh_load_key(): loaded '/home/targetuser/.ssh/id_rsa' from /home/targetuser/.ssh/id_rsa
Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_ssh_load_key(): failed to load key from /home/targetuser/.ssh/id_dsa
Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_sm_acct_mgmt(): Got user: targetuser
Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_sm_acct_mgmt(): Got user: targetuser
Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_sm_acct_mgmt(): Checking login.access for user targetuser from host 172.16.1.240
Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_sm_acct_mgmt(): Got user: targetuser
Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_sm_acct_mgmt(): Got login_cap
-------------

The view from the client machine during the login:

-------------
client:/usr/src/lib/libpam/modules/pam_ssh (557) ssh targetuser at fbsd8-i386
SSH passphrase: 
Last login: Tue Nov 15 08:39:28 2011 from 172.16.2.218
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
	The Regents of the University of California.  All rights reserved.

FreeBSD 8.2-RC3 (GENERIC) #0: Sat Jan 29 19:26:23 CST 2011
-------------

So, it asked for the target user's passphrase and successfully authenticated with any password. I understand what happened but I'm rather astonished by the result - I would not have expected pam_ssh to have succeeded on a passwordless key file when a password was required in the pam configuration file, based on the pam_ssh.8 man page:

     nullok          Normally, keys with no passphrase are ignored for authen-
                     tication purposes.  If this option is set, keys with no
                     passphrase will be taken into consideration, allowing the
                     user to log in with a blank password.


Thoughts?

Thanks,
Guy Helmer

--------
This message has been scanned by ComplianceSafe, powered by Palisade's PacketSure.

More information about the freebsd-security mailing list