OpenPAM/SSHD privacy hole (FreeBSD 9.2+ affected)

Andrei az at azsupport.com
Sun Oct 27 21:50:20 UTC 2013


On Sun, 27 Oct 2013 22:33:56 +0100
Dag-Erling Smørgrav <des at des.no> wrote:

> Andrei <az at azsupport.com> writes:
> > In /etc/pam.d/sshd from:
> > auth            required        pam_unix.so             no_warn
> > try_first_pass to:
> > auth required pam_unix.so no_warn try_first_pass authtok_prompt
> >
> > Right?
> 
> auth required pam_unix.so no_warn try_first_pass
> authtok_prompt="Password:"
> 
> BTW, I recently noticed that try_first_pass doesn't work as documented
> (and hasn't for ten years), but I haven't had time to fix it yet.

You might be surprised, but authtok_prompt="Password:" have same results as
just authtok_prompt. Empty screen and no "Password:" prompt.
FreeBSD 9.2 tested.

Kind regards,
Andrei.


More information about the freebsd-security mailing list