OpenPAM/SSHD privacy hole (FreeBSD 9.2+ affected)

Andrei az at
Sun Oct 27 18:58:05 UTC 2013

On Sun, 27 Oct 2013 18:58:45 +0100
Dag-Erling Smørgrav <des at> wrote:

> >> I found that in the new FreeBSD 9.2 (probably in 10 also) updated
> >> OpenPAM sources.  The big embarrassment was in pam_get_authtok.c.
> >> The problem is that even without a valid SSH login it's possible
> >> to know the server's hostname.
> > I agree. That looks like an unnecessary privacy violation to me.
> > What do you think des@?
> No.  This is intentional, and I will not change it.  If you don't like
> it, you can override the default prompt in your PAM policy; see the
> pam_get_authtok() man page for details.

In /etc/pam.d/sshd from:
auth            required             no_warn try_first_pass
auth            required             no_warn try_first_pass authtok_prompt


Kind regards,

More information about the freebsd-security mailing list