On Tue, Jul 28, 2009 at 10:38:21AM -0400, Sam Hartman wrote: > Folks, I'm writing at the suggestion of Don and Joey. There is a > serious, but rare bug in pam, where a user can get into a situation > where any password will be accepted to access their system. > > We're going to display a critical debconf note if we detect this > situation. We'd like to point people to a webpage where they can find > out more information. > > I would appreciate help getting this web page written and finding a > place for it. Similar to the one used for the OpenSSL issue which used http://www.debian.org/security/key-rollover, detailed page at /security/pam-auth or something might be a good place for that information. Or link the securing-debian-howto from the released DSA ? > I don't feel qualified to write the content; I'm hoping that the www > team plus the people cc'd on this message can help us get that > together. We would like to do this with some urgency. In the > interest of full disclosure,this issue has been known since March, but > Steve prepared a fix this week. Still, the faster we can get that fix > out to our users, the better it will be . > > I think that a web page might contain pointers to: http://wiki.debian.org/SecurityManagement and http://www.debian.org/doc/manuals/securing-debian-howto/ mainly. > * Why it's reasonable to assume that a system on the Internet with no password will be compromised > * Information on malicious software and botnets There is a specific PAM chapter mentionning dictionnaries attacks at http://www.debian.org/doc/manuals/securing-debian-howto/ch4.fr.html#s4.10 > * Information on trying to do security recovery of a Debian system http://www.debian.org/doc/manuals/securing-debian-howto/ch-after-compromise.fr.html > * Information on resources for commercial and free help in recovering You mean recovering from a previous backup or recovering from the current "potentially compromised status" without any backup ? > Here's a draft of a debconf note I've put together ; Steve has not reviewed, and it may change internally. > > Template: libpam-runtime/you-had-no-auth > Type: note > _Description: Your system allows access with no password! > When you configured PAM on this system, you elected to disable all > PAM profiles. As a result, any password will be accepted to gain > access to the system; even incorrect passwords will gain > access. Especially if this system can be accessed from the Internet, > it is likely that malicious software has been installed and the > system compromised. Unless you are familiar with recovering from > security failures, viruses, and malicious software you should > re-install this system from scratch or obtain the services of a > skilled system administrator. For more information see > http://www.debian.org/xxx > . > The PAM packaging has been improved and the automated PAM > configuration tool no longer permits this configuration. We > apologize that previous versions of the PAM configuration did not > detect and prevent this situation. Regards. -- Simon Paillard
Attachment:
signature.asc
Description: Digital signature