bin/81231: Patch pam_ssh to reject keys with no passphrase by default

Thu May 19 00:50:03 GMT 2005

>Number:         81231
>Category:       bin
>Synopsis:       Patch pam_ssh to reject keys with no passphrase by default
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu May 19 00:50:02 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Daniel O'Connor
>Release:        FreeBSD 6.0-CURRENT i386
>Organization:
>Environment:
System: FreeBSD inchoate.localdomain 6.0-CURRENT FreeBSD 6.0-CURRENT #0: Tue May 3 01:14:04 CST 2005 darius at inchoate.localdomain:/usr/obj/usr/src/sys/INCHOATE i386

>Description:
Currently pam_ssh will allow a user to login with any password if they have a
key file with no passphrase.

>How-To-Repeat:
Change your passphrase to nothing & enable pam_ssh. You will be able to login
with any password.

>Fix:
This patch make pam_ssh ignore keys with no passphrase unless the nullok
option is supplied.

http://www.gsoft.com.au/~doconnor/pam_ssh-nullpass.diff

# This is a shell archive.  Save it in a file, remove anything before
# this line, and then unpack it by entering "sh file".  Note, it may
# create directories; files and directories will be owned by you and
# have default permissions.
#
# This archive contains:
#
#       pam_ssh-nullpass.diff
#
echo x - pam_ssh-nullpass.diff
sed 's/^X//' >pam_ssh-nullpass.diff << 'END-of-pam_ssh-nullpass.diff'
XIndex: lib/libpam/modules/pam_ssh/pam_ssh.8
X===================================================================
XRCS file: /usr/CVS-Repository/src/lib/libpam/modules/pam_ssh/pam_ssh.8,v
Xretrieving revision 1.13
Xdiff -u -r1.13 pam_ssh.8
X--- lib/libpam/modules/pam_ssh/pam_ssh.8       2 Jul 2004 23:52:18 -0000       1.13
X+++ lib/libpam/modules/pam_ssh/pam_ssh.8       19 May 2005 00:13:20 -0000
X@@ -93,6 +93,10 @@
X option,
X except that if the previously obtained password fails,
X the user is prompted for another password.
X+.It Cm nullok
X+If this option is set then pam_ssh will consider keys with
X+no passphrase. Normally it will ignore those keys for the
X+purposes of authentication.
X .El
X .Ss SSH Session Management Module
X The
XIndex: lib/libpam/modules/pam_ssh/pam_ssh.c
X===================================================================
XRCS file: /usr/CVS-Repository/src/lib/libpam/modules/pam_ssh/pam_ssh.c,v
Xretrieving revision 1.40
Xdiff -u -r1.40 pam_ssh.c
X--- lib/libpam/modules/pam_ssh/pam_ssh.c       10 Feb 2004 10:13:21 -0000      1.40
X+++ lib/libpam/modules/pam_ssh/pam_ssh.c       19 May 2005 00:17:49 -0000
X@@ -87,7 +87,7 @@
X  * struct pam_ssh_key containing the key and its comment.
X  */
X static struct pam_ssh_key *
X-pam_ssh_load_key(const char *dir, const char *kfn, const char *passphrase)
X+pam_ssh_load_key(const char *dir, const char *kfn, const char *passphrase, int nullok)
X {
X       struct pam_ssh_key *psk;
X       char fn[PATH_MAX];
X@@ -97,6 +97,22 @@
X       if (snprintf(fn, sizeof(fn), "%s/%s", dir, kfn) > (int)sizeof(fn))
X               return (NULL);
X       comment = NULL;
X+
X+      /* Test if the key is loadable with no passphrase */
X+      if ((key = key_load_private(fn, "", &comment)) != NULL) {
X+              free(comment);
X+              key_free(key);
X+      }
X+
X+      /* If nullok is set check that the passphrase we got from the user is
X+       * null since SSH will ignore the passphrase we pass in if there is no
X+       * passphrase on the key so if we don't check that what is passed in
X+       * is empty the user will be able to login with *any* password(!)
X+       */
X+      if (!(nullok && passphrase[0] == '\0') && key != NULL) {
X+              openpam_log(PAM_LOG_NOTICE, "null passphrase was found, refusing to continue\n");
X+              return (NULL);
X+      }
X       key = key_load_private(fn, passphrase, &comment);
X       if (key == NULL) {
X               openpam_log(PAM_LOG_DEBUG, "failed to load key from %s\n", fn);
X@@ -136,11 +152,16 @@
X       const char **kfn, *passphrase, *user;
X       struct passwd *pwd;
X       struct pam_ssh_key *psk;
X-      int nkeys, pam_err, pass;
X+      int nkeys, pam_err, pass, nullok;
X
X       /* PEM is not loaded by default */
X       OpenSSL_add_all_algorithms();
X
X+      if (openpam_get_option(pamh, "nullok") != NULL)
X+              nullok = 1;
X+      else
X+              nullok = 0;
X+
X       /* get user name and home directory */
X       pam_err = pam_get_user(pamh, &user, NULL);
X       if (pam_err != PAM_SUCCESS)
X@@ -170,7 +191,7 @@
X       /* try to load keys from all keyfiles we know of */
X       nkeys = 0;
X       for (kfn = pam_ssh_keyfiles; *kfn != NULL; ++kfn) {
X-              psk = pam_ssh_load_key(pwd->pw_dir, *kfn, passphrase);
X+              psk = pam_ssh_load_key(pwd->pw_dir, *kfn, passphrase, nullok);
X               if (psk != NULL) {
X                       pam_set_data(pamh, *kfn, psk, pam_ssh_free_key);
X                       ++nkeys;
END-of-pam_ssh-nullpass.diff
exit

>Release-Note:
>Audit-Trail:
>Unformatted: