Date: 6 Dec 2002 14:46:03 -0000 From: Peter Pentchev <roam@FreeBSD.org> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/46026: [PATCH] fix security/sudo PAM echo handling Message-ID: <20021206144603.11223.qmail@straylight.ringlet.net>
next in thread | raw e-mail | index | archive | help
>Number: 46026 >Category: ports >Synopsis: [PATCH] fix security/sudo PAM echo handling >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Dec 06 06:50:01 PST 2002 >Closed-Date: >Last-Modified: >Originator: Peter Pentchev <roam@FreeBSD.org> >Release: FreeBSD 4.7-STABLE i386 >Organization: SBND Technologies Ltd. >Environment: System: FreeBSD straylight.oblivion.bg 4.7-STABLE FreeBSD 4.7-STABLE #6: Fri Dec 6 11:53:43 EET 2002 roam@straylight.oblivion.bg:/usr/obj/usr/src/sys/RINGWORLD i386 >Description: The security/sudo port has a slight deficiency in handling the PAM conversation. If a PAM module requests that passwords be echoed as they are typed in, the 'echo on' state remains active for the whole of the conversation, even for modules that have explicitly requested that echo be turned off. This can lead to serious security problems, if OPIE or S/Key is used in conjunction with other authentication mechanisms, since both OPIE and S/Key allow the user to enter the password in 'echo on' mode - any other PAM module invoked after that will have the pass phrases echoed back, which may be undesirable in the pam_unix, pam_krb5, or indeed most other cases. >How-To-Repeat: Configure S/Key or OPIE authentication for a user. Try to log in. Press 'Enter' on the first S/Key or OPIE prompt, so the 'echo on' prompt is displayed. Press 'Enter' or enter an invalid passphrase at the 'echo on' prompt. Wait for the next auth module's 'Password:' prompt to appear, then watch in horrified fascination as your password is echoed straight back at you as you type it in. >Fix: NOTE: this fix will NOT fix the problem completely on at least 4.7-STABLE systems! Please see PR bin/46025, 'OPIE and S/Key PAM prompt echoing fixes', for a description and a fix of another related problem in the OPIE and S/Key PAM modules themselves. Still, I believe that this fix should be applied before FreeBSD 5.0 is released; I will submit it to the sudo developers shortly. Index: ports/security/sudo/Makefile =================================================================== RCS file: /home/ncvs/ports/security/sudo/Makefile,v retrieving revision 1.53 diff -u -r1.53 Makefile --- ports/security/sudo/Makefile 14 Sep 2002 19:27:18 -0000 1.53 +++ ports/security/sudo/Makefile 6 Dec 2002 14:04:17 -0000 @@ -7,7 +7,7 @@ PORTNAME= sudo PORTVERSION= 1.6.6 -PORTREVISION= 0 +PORTREVISION= 1 CATEGORIES= security MASTER_SITES= http://www.sudo.ws/sudo/dist/ \ ftp://ftp.cs.colorado.edu/pub/sysadmin/sudo/ \ Index: ports/security/sudo/files/patch-auth::pam.c =================================================================== RCS file: ports/security/sudo/files/patch-auth::pam.c diff -N ports/security/sudo/files/patch-auth::pam.c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ ports/security/sudo/files/patch-auth::pam.c 6 Dec 2002 14:04:06 -0000 @@ -0,0 +1,10 @@ +--- auth/pam.c.old Tue Jan 22 18:43:23 2002 ++++ auth/pam.c Fri Dec 6 16:03:37 2002 +@@ -224,6 +224,7 @@ + /* Read the password. */ + pass = tgetpass(p, def_ival(I_PASSWD_TIMEOUT) * 60, + tgetpass_flags); ++ tgetpass_flags &= ~(TGP_ECHO); + pr->resp = estrdup(pass ? pass : ""); + if (*pr->resp == '\0') + nil_pw = 1; /* empty password */ >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021206144603.11223.qmail>