Date: 6 Dec 2002 14:36:03 -0000 From: Peter Pentchev <roam@FreeBSD.org> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/46025: [PATCH] OPIE and S/Key PAM prompt echoing fixes Message-ID: <20021206143603.10949.qmail@straylight.ringlet.net>
next in thread | raw e-mail | index | archive | help
>Number: 46025
>Category: bin
>Synopsis: [PATCH] OPIE and S/Key PAM prompt echoing fixes
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Dec 06 06:40:01 PST 2002
>Closed-Date:
>Last-Modified:
>Originator: Peter Pentchev <roam@FreeBSD.org>
>Release: FreeBSD 4.7-STABLE i386
>Organization:
SBND Technologies Ltd.
>Environment:
System: FreeBSD straylight.oblivion.bg 4.7-STABLE FreeBSD 4.7-STABLE #6: Fri Dec 6 11:53:43 EET 2002 roam@straylight.oblivion.bg:/usr/obj/usr/src/sys/RINGWORLD i386
>Description:
The S/Key and OPIE PAM modules allow the user to see the pass phrase's
characters as they are entered. This is done by turning on a PAM
conversation option that controls echoing of the entered passwords;
however, both modules neglect to turn it off afterwards, so if there are
additional authentication modules used if the S/Key or OPIE login should
fail, the passwords for those modules are echoed as they are entered.
This may be highly undesirable in certain situations :)
This has been tested using the Linux-PAM implementation in -STABLE;
unfortunately, I cannot test it on a -CURRENT system with OpenPAM right
now, but if this problem exists there too, then IMHO it is something
that should be fixed before 5.0 rolls out the door. This is the reason
I have marked this PR as serious/high.
>How-To-Repeat:
Configure OPIE or S/Key authentication on a 4.7-STABLE box.
Try to log in.
Press 'Enter' on the first OPIE or S/Key password prompt, so that the
'Password: [echo on]' prompt is displayed.
Press 'Enter' or enter an invalid password at the 'echo on' prompt.
Wait for the normal pam_unix or krb5 or whatever 'Password' prompt to
appear, then watch in horrified fascination as your password is echoed
straight back at you as you type it in.
>Fix:
Note that the fix below only works if the PAM conversation mechanism
used actually honors the 'echo on' flag, or rather, handles the
'off-on-off' series of transitions properly; there is a separate problem
with using the security/sudo port, which I will submit as a separate PR.
Even with the above fixes, sudo will echo back the password for later
auth modules unless the patch to come in the next PR is applied to the
port.
Index: src/contrib/libpam/libpam_misc/misc_conv.c
===================================================================
RCS file: /home/ncvs/src/contrib/libpam/libpam_misc/Attic/misc_conv.c,v
retrieving revision 1.1.1.1.6.2
diff -u -r1.1.1.1.6.2 misc_conv.c
--- src/contrib/libpam/libpam_misc/misc_conv.c 11 Jun 2001 15:28:15 -0000 1.1.1.1.6.2
+++ src/contrib/libpam/libpam_misc/misc_conv.c 6 Dec 2002 14:21:03 -0000
@@ -181,7 +181,9 @@
return NULL;
}
memcpy(&term_tmp, &term_before, sizeof(term_tmp));
- if (!echo) {
+ if (echo) {
+ term_tmp.c_lflag |= ECHO;
+ } else {
term_tmp.c_lflag &= ~(ECHO);
}
have_term = 1;
Index: src/lib/libpam/modules/pam_opie/pam_opie.c
===================================================================
RCS file: /home/ncvs/src/lib/libpam/modules/pam_opie/pam_opie.c,v
retrieving revision 1.1.2.1
diff -u -r1.1.2.1 pam_opie.c
--- src/lib/libpam/modules/pam_opie/pam_opie.c 3 Jul 2002 21:41:30 -0000 1.1.2.1
+++ src/lib/libpam/modules/pam_opie/pam_opie.c 6 Dec 2002 14:19:44 -0000
@@ -69,7 +69,7 @@
struct opie opie;
struct options options;
struct passwd *pwd;
- int retval, i;
+ int retval, i, echo;
const char *(promptstr[]) = { "%s\nPassword: ", "%s\nPassword [echo on]: "};
char challenge[OPIE_CHALLENGE_MAX];
char prompt[OPIE_CHALLENGE_MAX+22];
@@ -118,10 +118,14 @@
*/
pam_set_item(pamh, PAM_AUTHTOK, NULL);
+ echo = pam_test_option(&options, PAM_OPT_ECHO_PASS, NULL);
+
for (i = 0; i < 2; i++) {
snprintf(prompt, sizeof prompt, promptstr[i], challenge);
retval = pam_get_pass(pamh, &response, prompt, &options);
if (retval != PAM_SUCCESS) {
+ if (!echo)
+ pam_clear_option(&options, PAM_OPT_ECHO_PASS);
opieunlock();
return (retval);
}
@@ -134,6 +138,9 @@
/* Second time round, echo the password */
pam_set_option(&options, PAM_OPT_ECHO_PASS);
}
+
+ if (!echo)
+ pam_clear_option(&options, PAM_OPT_ECHO_PASS);
/* We have to copy the response, because opieverify mucks with it. */
strlcpy(resp, response, sizeof (resp));
Index: src/lib/libpam/modules/pam_skey/pam_skey.c
===================================================================
RCS file: /home/ncvs/src/lib/libpam/modules/pam_skey/Attic/pam_skey.c,v
retrieving revision 1.2.6.1
diff -u -r1.2.6.1 pam_skey.c
--- src/lib/libpam/modules/pam_skey/pam_skey.c 3 Jul 2002 21:41:30 -0000 1.2.6.1
+++ src/lib/libpam/modules/pam_skey/pam_skey.c 6 Dec 2002 14:18:58 -0000
@@ -83,8 +83,9 @@
pam_set_option(&options, PAM_OPT_ECHO_PASS);
snprintf(prompt, sizeof prompt,
"%s\nPassword [echo on]: ", challenge);
- if ((retval = pam_get_pass(pamh, &response, prompt,
- &options)) != PAM_SUCCESS)
+ retval = pam_get_pass(pamh, &response, prompt, &options);
+ pam_clear_option(&options, PAM_OPT_ECHO_PASS);
+ if (retval != PAM_SUCCESS)
return retval;
}
/*
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021206143603.10949.qmail>