OpenPAM/SSHD privacy hole (FreeBSD 9.2+ affected)
Dag-Erling Smørgrav
des at des.no
Sun Oct 27 17:58:46 UTC 2013
Carlo Strub <cs at FreeBSD.org> writes:
> Andrei <az at azsupport.com> writes:
>> I found that in the new FreeBSD 9.2 (probably in 10 also) updated
>> OpenPAM sources. The big embarrassment was in pam_get_authtok.c. The
>> problem is that even without a valid SSH login it's possible to know
>> the server's hostname.
> I agree. That looks like an unnecessary privacy violation to me. What
> do you think des@?
No. This is intentional, and I will not change it. If you don't like
it, you can override the default prompt in your PAM policy; see the
pam_get_authtok() man page for details.
DES
--
Dag-Erling Smørgrav - des at des.no
More information about the freebsd-security
mailing list