misc/126650: pam_unix.so silently fails authenticating as non-root user

Aaron Scarisbrick aaronsca at gmail.com
Tue Aug 19 04:30:03 UTC 2008 

>Number:         126650
>Category:       misc
>Synopsis:       pam_unix.so silently fails authenticating as non-root user
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Tue Aug 19 04:30:02 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Aaron Scarisbrick
>Release:        7.0-RELEASE-p3
>Organization:
>Environment:
FreeBSD nostromo.scarisbrick.org 7.0-RELEASE-p3 FreeBSD 7.0-RELEASE-p3 #3: Mon Jul 14 21:08:48 GMT 2008     root at nostromo.scarisbrick.org:/usr/src/sys/i386/compile/CUSTOM  i386
>Description:
In trying to get /usr/ports/net/tac_plus4 to use PAM, it would silently fail authenticating against the pam_unix.so module.  The root cause was that tac_plus was not running as root, and the getpwnam() function called by the pam_unix.so module would return a struct without a password to compare and always fail (i.e. PAM_AUTH_ERR). This made it always appear as though an incorrect password was entered, even though there was no way to verify whether it was or not.
>How-To-Repeat:
Install /usr/ports/net/tac_plus4 without OPIE or SKEY.
Configure /etc/pam.d/tac_plus to use pam_unix.so auth.
Configure /usr/local/etc/tac_plus.conf to use PAM login.
Configure /etc/rc.conf to allow tac_plus service.
Start tac_plus service via /usr/local/etc/rc.d/tac_plus
Configure NAS to use shiny new tac_plus service.
Attempt authentication on NAS.
Curse.
Lather, rinse, repeat.
>Fix:
Applying the attached patch to /usr/src/lib/libpam/modules/pam_unix/pam_unix.c should explicitly call out when a service is using the pam_unix.so module incorrectly (e.g. as a non-root user). It only reports the more descriptive error message if the password is NULL and the effective user id is not root.

Patch attached with submission follows:

--- pam_unix.c.orig	2008-08-19 03:16:47.000000000 +0000
+++ pam_unix.c	2008-08-19 03:51:04.000000000 +0000
@@ -129,6 +129,10 @@
 	if (strcmp(crypt(pass, realpw), realpw) == 0)
 		return (PAM_SUCCESS);
 
+	if (strcmp(realpw, "*") == 0 && geteuid() != 0) {
+		PAM_VERBOSE_ERROR("UNIX password field readable only by root");
+		return (PAM_CRED_UNAVAIL);
+	}
 	PAM_VERBOSE_ERROR("UNIX authentication refused");
 	return (PAM_AUTH_ERR);
 }


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list