Bug#281595: timing attack allows attacker to determine valid usernames
On Sat, Nov 20, 2004 at 01:51:55PM +1100, Darren Tucker wrote:
> No, it's not fixed in 3.9p1.
>
> The problem is not exactly the same, though. In this case, it's partly
> because the keyboard-interactive code doesn't call the kbdint driver at
> all in this case. The first attached patch ought to fix that.
>
> With that fixed, a change to the PAM code is required because it will
> complete for a real user with their real password if, eg they are listed
> in DenyUsers. This will result in the PAM code getting out of sync with
> the kbdint code, resulting in the authentication hanging. The second
> patch ought to fix that.
>
> I haven't done much testing of either patch, so please let me know how
> they go.
Thanks for this. I've backported these to 3.8.1p1, which didn't have PAM
PasswordAuthentication; the patch is attached. It seems to work for me.
After a bit more testing I'll upload this to unstable.
Cheers,
--
Colin Watson [cjwatson@debian.org]
Index: auth-pam.c
===================================================================
RCS file: /home/cjwatson/cvs/openssh/openssh/auth-pam.c,v
retrieving revision 1.10
diff -p -u -r1.10 auth-pam.c
--- auth-pam.c 10 Jul 2004 12:36:49 -0000 1.10
+++ auth-pam.c 27 Nov 2004 17:25:56 -0000
@@ -169,6 +169,7 @@ static int sshpam_cred_established = 0;
static int sshpam_account_status = -1;
static char **sshpam_env = NULL;
static Authctxt *sshpam_authctxt = NULL;
+static char badpw[] = "\b\n\r\177INCORRECT";
/* Some PAM implementations don't implement this */
#ifndef HAVE_PAM_GETENVLIST
@@ -644,7 +645,10 @@ sshpam_respond(void *ctx, u_int num, cha
return (-1);
}
buffer_init(&buffer);
- buffer_put_cstring(&buffer, *resp);
+ if (sshpam_authctxt->valid)
+ buffer_put_cstring(&buffer, *resp);
+ else
+ buffer_put_cstring(&buffer, badpw);
if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) {
buffer_free(&buffer);
return (-1);
Index: auth2-chall.c
===================================================================
RCS file: /home/cjwatson/cvs/openssh/openssh/auth2-chall.c,v
retrieving revision 1.1.1.3
diff -p -u -r1.1.1.3 auth2-chall.c
--- auth2-chall.c 17 Sep 2003 00:31:55 -0000 1.1.1.3
+++ auth2-chall.c 27 Nov 2004 17:25:57 -0000
@@ -275,12 +275,9 @@ input_userauth_info_response(int type, u
}
packet_check_eom();
- if (authctxt->valid) {
- res = kbdintctxt->device->respond(kbdintctxt->ctxt,
- nresp, response);
- } else {
- res = -1;
- }
+ res = kbdintctxt->device->respond(kbdintctxt->ctxt, nresp, response);
+ if (!authctxt->valid)
+ res = 1; /* keep going if login invalid */
for (i = 0; i < nresp; i++) {
memset(response[i], 'r', strlen(response[i]));
@@ -292,7 +289,7 @@ input_userauth_info_response(int type, u
switch (res) {
case 0:
/* Success! */
- authenticated = 1;
+ authenticated = authctxt->valid ? 1 : 0;
break;
case 1:
/* Authentication needs further interaction */
Index: debian/changelog
===================================================================
RCS file: /home/cjwatson/cvs/openssh/openssh/debian/changelog,v
retrieving revision 1.108
diff -p -u -r1.108 changelog
--- debian/changelog 12 Nov 2004 11:17:20 -0000 1.108
+++ debian/changelog 27 Nov 2004 17:25:57 -0000
@@ -1,3 +1,11 @@
+openssh (1:3.8.1p1-8.sarge.4) UNRELEASED; urgency=low
+
+ * Fix timing information leak allowing discovery of invalid usernames in
+ PAM keyboard-interactive authentication (backported from a patch by
+ Darren Tucker; closes: #281595).
+
+ -- Colin Watson <cjwatson@debian.org> Sat, 27 Nov 2004 16:19:21 +0000
+
openssh (1:3.8.1p1-8.sarge.3) unstable; urgency=low
* Enable threading for PAM, on Sam Hartman's advice (closes: #278394).
Reply to: