From owner-freebsd-ports-bugs@FreeBSD.ORG  Sun Dec 10 15:30:16 2006
Return-Path: <owner-freebsd-ports-bugs@FreeBSD.ORG>
X-Original-To: freebsd-ports-bugs@hub.freebsd.org
Delivered-To: freebsd-ports-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id B835316A505
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Sun, 10 Dec 2006 15:30:16 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6404243C9F
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Sun, 10 Dec 2006 15:29:04 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id kBAFUECd098036
	for <freebsd-ports-bugs@freefall.freebsd.org>;
	Sun, 10 Dec 2006 15:30:14 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id kBAFUENC098035;
	Sun, 10 Dec 2006 15:30:14 GMT (envelope-from gnats)
Resent-Date: Sun, 10 Dec 2006 15:30:14 GMT
Resent-Message-Id: <200612101530.kBAFUENC098035@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-ports-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	"Eugene M. Kim" <freebsd.org@ab.ote.we.lv>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id E736D16A47C
	for <FreeBSD-gnats-submit@freebsd.org>;
	Sun, 10 Dec 2006 15:23:41 +0000 (UTC)
	(envelope-from root@seerajeane.astralblue.net)
Received: from purple.the-7.net (purple.the-7.net [64.71.156.34])
	by mx1.FreeBSD.org (Postfix) with ESMTP id EAAF343CB5
	for <FreeBSD-gnats-submit@freebsd.org>;
	Sun, 10 Dec 2006 15:19:09 +0000 (GMT)
	(envelope-from root@seerajeane.astralblue.net)
Received: from seerajeane.astralblue.net (seerajeane.astralblue.net
	[IPv6:2001:470:1f01:3222:2e0:81ff:fe51:1e73])
	by purple.the-7.net (8.13.8/8.13.8) with ESMTP id kBAFIh0D059635
	for <FreeBSD-gnats-submit@freebsd.org>;
	Sun, 10 Dec 2006 07:18:43 -0800 (PST)
	(envelope-from root@seerajeane.astralblue.net)
Received: from seerajeane.astralblue.net (localhost [127.0.0.1])
	by seerajeane.astralblue.net (8.13.8/8.13.8) with ESMTP id
	kBAExu0P000651 for <FreeBSD-gnats-submit@freebsd.org>;
	Sun, 10 Dec 2006 06:59:56 -0800 (PST)
	(envelope-from root@seerajeane.astralblue.net)
Received: (from root@localhost)
	by seerajeane.astralblue.net (8.13.8/8.13.8/Submit) id kBAExun4000650; 
	Sun, 10 Dec 2006 06:59:56 -0800 (PST) (envelope-from root)
Message-Id: <200612101459.kBAExun4000650@seerajeane.astralblue.net>
Date: Sun, 10 Dec 2006 06:59:56 -0800 (PST)
From: "Eugene M. Kim" <freebsd.org@ab.ote.we.lv>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Cc: 
Subject: ports/106564: [PATCH] security/pam_bsdbioapi always requires finger
	swiping
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: "Eugene M. Kim" <freebsd.org@ab.ote.we.lv>
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Dec 2006 15:30:16 -0000


>Number:         106564
>Category:       ports
>Synopsis:       [PATCH] security/pam_bsdbioapi always requires finger swiping
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sun Dec 10 15:30:09 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Eugene M. Kim
>Release:        FreeBSD 7.0-CURRENT i386
>Organization:
>Environment:
System: FreeBSD seerajeane.astralblue.net 7.0-CURRENT FreeBSD 7.0-CURRENT #12: Fri Dec 1 05:37:54 PST 2006 ab@seerajeane.astralblue.net:/home/FreeBSD/build/MAIN/obj/home/FreeBSD/build/MAIN/src/sys/PL-SEERAJEANE i386
>Description:
The pam_bsdbioapi(8) module always prompts for finger swiping before
failing and proceeding to the next module, even when the user has not
enrolled yet.
>How-To-Repeat:
Enable pam_bsdbioapi(8) in /etc/pam.d/login, and try to login as a user
who has not enrolled yet; the module prompts as if the user is enrolled.
>Fix:
Add the following patch (in /usr/ports/security/pam_bsdbioapi/files for
example), then add -s option to the pam_bsdbioapi lines in /etc/pam.d/*:

-------------------- snip -------------------- snip --------------------
--- src/pam_bsdbioapi/pam_bsdbioapi.8	Thu Feb 23 06:15:13 2006
+++ src/pam_bsdbioapi/pam_bsdbioapi.8.new	Sun Dec 10 06:36:31 2006
@@ -36,6 +36,7 @@
 .Ar pam_bsdbioapi
 .Ar bsp-uuid 
 .Ar backend
+.Op -s
 .Op -f birdb-path
 .Op -m message-file
 .Sh DESCRIPTION
@@ -69,6 +70,12 @@
 This option is required.
 .Pp
 .Bl -tag -width ".Fl m Ar message-file"
+.It Fl s
+Fail without prompting the user to swipe finger if the user has not enrolled
+yet.
+This is useful if only a handful of users has enrolled, but leaks whether the
+given user has enrolled, to whomever tries to authenticate as the user (e.g.
+an attacker outside).
 .It Fl f Ar birdb-path
 Specify an alternative path to the birdb.conf file for backend configuration.
 The default is /usr/local/etc/birdb.conf
--- src/pam_bsdbioapi/pam_bsdbioapi.c	Thu Feb 23 06:15:13 2006
+++ src/pam_bsdbioapi/pam_bsdbioapi.c.new	Sun Dec 10 06:26:57 2006
@@ -215,7 +215,7 @@
     int argc, const char *argv[])
 {
 	const char *user, *bsp_id, *dbid, *conf, *msgfile;
-	int error, pam_retval = PAM_AUTH_ERR;
+	int error, pam_retval = PAM_AUTH_ERR, skip_unenrolled;
 	BioAPI_HANDLE *handle;
 	struct birdb_rec keyrec, **recs;
 	struct birdb_mod *bm;
@@ -241,9 +241,10 @@
 
 	conf = DEFCONFPATH; 
 	msgfile = NULL;
+	skip_unenrolled = 0;
 
 	optind = 2;
-	while ((opt = getopt(argc, (char **)argv, "m:f:")) != -1) {
+	while ((opt = getopt(argc, (char **)argv, "m:f:s")) != -1) {
 		switch (opt) {
 		case 'm':
 			msgfile = argv[optind - 1];
@@ -253,6 +254,9 @@
 			conf = argv[optind - 1];
 			PAM_LOG("Got birdb configuration file: %s", conf);
 			break;
+		case 's':
+			skip_unenrolled = 1;
+			break;
 		}
 	}
 
@@ -271,7 +275,6 @@
 	PAM_LOG("Got user: %s", user);
 
 	setuid(euid);
-	pam_info(pamh, "Initiating biometric authentication..."); 
 
 	error = bioapi_init();
 	if (error)
@@ -312,7 +315,8 @@
 
 	keyrec.br_key = (char *)user;
 	recs = birdb_backend_get(bm, bmh, &keyrec);
-	if (recs != NULL) {
+	if (recs != NULL && (!skip_unenrolled || recs[0] != NULL)) {
+		pam_info(pamh, "Initiating biometric authentication..."); 
 		handle = bioapi_attach_bsp(bsp_id);
 		if (handle == NULL) {
 			PAM_VERBOSE_ERROR("Failed to attach the selected BSP");
-------------------- snip -------------------- snip --------------------

Note that the "skip-unenrolled" behavior is not enabled by default
because of security implications (see the new pam_bsdbioapi(8) manpage).
>Release-Note:
>Audit-Trail:
>Unformatted: