Possible pam_ssh bug?
Guy Helmer
guy.helmer at palisadesystems.com
Tue Nov 15 22:17:34 UTC 2011
On Nov 15, 2011, at 3:12 PM, Dag-Erling Smørgrav wrote:
> Guy Helmer <guy.helmer at palisadesystems.com> writes:
>> I have a shell user who is able to login to his accounts via sshd on
>> FreeBSD 8.2 using any password. The user had a .ssh/id_rsa and
>> .ssh/id_rsa.pub key pair without a password but nullok was not
>> specified, so I think this should be considered a bug.
>
> It turns out that this goes all the way to OpenSSL, which ignores the
> passphrase if the key is not encrypted. The only solution I can think
> of - more of a workaround, really - is to first try to load the key with
> an empty passphrase, and skip the key if that worked. See the attached
> (untested) patch.
>
> A more advanced patch would load all keys but require at least one of
> them to have a passphrase.
>
> DES
> --
> Dag-Erling Smørgrav - des at des.no
>
> <pam_ssh_nullok.diff>
Yes, that patch applied OK to the 8.2 test machine and resolved the issue with the unencrypted id_rsa private key. I didn't know of any other way to check the key either - nothing jumped out at me from the OpenSSL API documentation.
Thanks for the quick turnaround,
Guy
--------
This message has been scanned by ComplianceSafe, powered by Palisade's PacketSure.
More information about the freebsd-security
mailing list