bin/81231: Patch pam_ssh to reject keys with no passphrase by
default
Daniel O'Connor
doconnor at gsoft.com.au
Thu May 19 00:50:03 GMT 2005
>Number: 81231
>Category: bin
>Synopsis: Patch pam_ssh to reject keys with no passphrase by default
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu May 19 00:50:02 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Daniel O'Connor
>Release: FreeBSD 6.0-CURRENT i386
>Organization:
>Environment:
System: FreeBSD inchoate.localdomain 6.0-CURRENT FreeBSD 6.0-CURRENT #0: Tue May 3 01:14:04 CST 2005 darius at inchoate.localdomain:/usr/obj/usr/src/sys/INCHOATE i386
>Description:
Currently pam_ssh will allow a user to login with any password if they have a
key file with no passphrase.
>How-To-Repeat:
Change your passphrase to nothing & enable pam_ssh. You will be able to login
with any password.
>Fix:
This patch make pam_ssh ignore keys with no passphrase unless the nullok
option is supplied.
http://www.gsoft.com.au/~doconnor/pam_ssh-nullpass.diff
# This is a shell archive. Save it in a file, remove anything before
# this line, and then unpack it by entering "sh file". Note, it may
# create directories; files and directories will be owned by you and
# have default permissions.
#
# This archive contains:
#
# pam_ssh-nullpass.diff
#
echo x - pam_ssh-nullpass.diff
sed 's/^X//' >pam_ssh-nullpass.diff << 'END-of-pam_ssh-nullpass.diff'
XIndex: lib/libpam/modules/pam_ssh/pam_ssh.8
X===================================================================
XRCS file: /usr/CVS-Repository/src/lib/libpam/modules/pam_ssh/pam_ssh.8,v
Xretrieving revision 1.13
Xdiff -u -r1.13 pam_ssh.8
X--- lib/libpam/modules/pam_ssh/pam_ssh.8 2 Jul 2004 23:52:18 -0000 1.13
X+++ lib/libpam/modules/pam_ssh/pam_ssh.8 19 May 2005 00:13:20 -0000
X@@ -93,6 +93,10 @@
X option,
X except that if the previously obtained password fails,
X the user is prompted for another password.
X+.It Cm nullok
X+If this option is set then pam_ssh will consider keys with
X+no passphrase. Normally it will ignore those keys for the
X+purposes of authentication.
X .El
X .Ss SSH Session Management Module
X The
XIndex: lib/libpam/modules/pam_ssh/pam_ssh.c
X===================================================================
XRCS file: /usr/CVS-Repository/src/lib/libpam/modules/pam_ssh/pam_ssh.c,v
Xretrieving revision 1.40
Xdiff -u -r1.40 pam_ssh.c
X--- lib/libpam/modules/pam_ssh/pam_ssh.c 10 Feb 2004 10:13:21 -0000 1.40
X+++ lib/libpam/modules/pam_ssh/pam_ssh.c 19 May 2005 00:17:49 -0000
X@@ -87,7 +87,7 @@
X * struct pam_ssh_key containing the key and its comment.
X */
X static struct pam_ssh_key *
X-pam_ssh_load_key(const char *dir, const char *kfn, const char *passphrase)
X+pam_ssh_load_key(const char *dir, const char *kfn, const char *passphrase, int nullok)
X {
X struct pam_ssh_key *psk;
X char fn[PATH_MAX];
X@@ -97,6 +97,22 @@
X if (snprintf(fn, sizeof(fn), "%s/%s", dir, kfn) > (int)sizeof(fn))
X return (NULL);
X comment = NULL;
X+
X+ /* Test if the key is loadable with no passphrase */
X+ if ((key = key_load_private(fn, "", &comment)) != NULL) {
X+ free(comment);
X+ key_free(key);
X+ }
X+
X+ /* If nullok is set check that the passphrase we got from the user is
X+ * null since SSH will ignore the passphrase we pass in if there is no
X+ * passphrase on the key so if we don't check that what is passed in
X+ * is empty the user will be able to login with *any* password(!)
X+ */
X+ if (!(nullok && passphrase[0] == '\0') && key != NULL) {
X+ openpam_log(PAM_LOG_NOTICE, "null passphrase was found, refusing to continue\n");
X+ return (NULL);
X+ }
X key = key_load_private(fn, passphrase, &comment);
X if (key == NULL) {
X openpam_log(PAM_LOG_DEBUG, "failed to load key from %s\n", fn);
X@@ -136,11 +152,16 @@
X const char **kfn, *passphrase, *user;
X struct passwd *pwd;
X struct pam_ssh_key *psk;
X- int nkeys, pam_err, pass;
X+ int nkeys, pam_err, pass, nullok;
X
X /* PEM is not loaded by default */
X OpenSSL_add_all_algorithms();
X
X+ if (openpam_get_option(pamh, "nullok") != NULL)
X+ nullok = 1;
X+ else
X+ nullok = 0;
X+
X /* get user name and home directory */
X pam_err = pam_get_user(pamh, &user, NULL);
X if (pam_err != PAM_SUCCESS)
X@@ -170,7 +191,7 @@
X /* try to load keys from all keyfiles we know of */
X nkeys = 0;
X for (kfn = pam_ssh_keyfiles; *kfn != NULL; ++kfn) {
X- psk = pam_ssh_load_key(pwd->pw_dir, *kfn, passphrase);
X+ psk = pam_ssh_load_key(pwd->pw_dir, *kfn, passphrase, nullok);
X if (psk != NULL) {
X pam_set_data(pamh, *kfn, psk, pam_ssh_free_key);
X ++nkeys;
END-of-pam_ssh-nullpass.diff
exit
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list