Date: Tue, 19 Aug 2008 04:28:10 GMT From: Aaron Scarisbrick <aaronsca@gmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/126650: pam_unix.so silently fails authenticating as non-root user Message-ID: <200808190428.m7J4SAkI010833@www.freebsd.org> Resent-Message-ID: <200808190430.m7J4U3Oa084071@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 126650 >Category: misc >Synopsis: pam_unix.so silently fails authenticating as non-root user >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Tue Aug 19 04:30:02 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Aaron Scarisbrick >Release: 7.0-RELEASE-p3 >Organization: >Environment: FreeBSD nostromo.scarisbrick.org 7.0-RELEASE-p3 FreeBSD 7.0-RELEASE-p3 #3: Mon Jul 14 21:08:48 GMT 2008 root@nostromo.scarisbrick.org:/usr/src/sys/i386/compile/CUSTOM i386 >Description: In trying to get /usr/ports/net/tac_plus4 to use PAM, it would silently fail authenticating against the pam_unix.so module. The root cause was that tac_plus was not running as root, and the getpwnam() function called by the pam_unix.so module would return a struct without a password to compare and always fail (i.e. PAM_AUTH_ERR). This made it always appear as though an incorrect password was entered, even though there was no way to verify whether it was or not. >How-To-Repeat: Install /usr/ports/net/tac_plus4 without OPIE or SKEY. Configure /etc/pam.d/tac_plus to use pam_unix.so auth. Configure /usr/local/etc/tac_plus.conf to use PAM login. Configure /etc/rc.conf to allow tac_plus service. Start tac_plus service via /usr/local/etc/rc.d/tac_plus Configure NAS to use shiny new tac_plus service. Attempt authentication on NAS. Curse. Lather, rinse, repeat. >Fix: Applying the attached patch to /usr/src/lib/libpam/modules/pam_unix/pam_unix.c should explicitly call out when a service is using the pam_unix.so module incorrectly (e.g. as a non-root user). It only reports the more descriptive error message if the password is NULL and the effective user id is not root. Patch attached with submission follows: --- pam_unix.c.orig 2008-08-19 03:16:47.000000000 +0000 +++ pam_unix.c 2008-08-19 03:51:04.000000000 +0000 @@ -129,6 +129,10 @@ if (strcmp(crypt(pass, realpw), realpw) == 0) return (PAM_SUCCESS); + if (strcmp(realpw, "*") == 0 && geteuid() != 0) { + PAM_VERBOSE_ERROR("UNIX password field readable only by root"); + return (PAM_CRED_UNAVAIL); + } PAM_VERBOSE_ERROR("UNIX authentication refused"); return (PAM_AUTH_ERR); } >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200808190428.m7J4SAkI010833>