OpenPAM/SSHD privacy hole (FreeBSD 9.2+ affected)
az at azsupport.com
Sun Oct 27 21:50:20 UTC 2013
On Sun, 27 Oct 2013 22:33:56 +0100
Dag-Erling Smørgrav <des at des.no> wrote:
> Andrei <az at azsupport.com> writes:
> > In /etc/pam.d/sshd from:
> > auth required pam_unix.so no_warn
> > try_first_pass to:
> > auth required pam_unix.so no_warn try_first_pass authtok_prompt
> > Right?
> auth required pam_unix.so no_warn try_first_pass
> BTW, I recently noticed that try_first_pass doesn't work as documented
> (and hasn't for ten years), but I haven't had time to fix it yet.
You might be surprised, but authtok_prompt="Password:" have same results as
just authtok_prompt. Empty screen and no "Password:" prompt.
FreeBSD 9.2 tested.
More information about the freebsd-security