FS#8742 : security flaw on console login - any username is denied directly without asking for password

FS#8742 - security flaw on console login - any username is denied directly without asking for password

Attached to Project: Arch Linux
Opened by Jan M. (funkyou) - Friday, 23 November 2007, 10:34 GMT
Last edited by Tom Killian (tomk) - Friday, 30 November 2007, 11:51 GMT

Task Type	Bug Report
Category	Security
Status	Closed
Assigned To	Tobias Powalowski (tpowa) Aaron Griffin (phrakture) eliott (cactus) Tom Killian (tomk) Thomas Bächler (brain0)
Architecture	i686
Severity	High
Priority	Normal
Reported Version	2007.08-2
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	4 Hussam Al-Tayeb (hussam) (2007-11-28) Cristian C. (ckristi) (2007-11-25) Philip Nilsson (leffe) (2007-11-24) Jens Adam (byte) (2007-11-24)
Private	No

Details

When i login into a virtual terminal and specify an user that is not available on my machine, the login is denied immediately after entering the username.

Isnt the login supposed to take every username at first (even if it doesnt exist) and print out the "Password:" anyway before finally denying the login when i entered a password for the non-existant user?

I consider this as a security issue, because with a little knowledge about myself it would be easier for a local attacker to compromise my system, because its easy to find out which users exist on my machine... (and thats a start, sure there a passords, but its a start...)

More details here:
http://bbs.archlinux.org/viewtopic.php?id=40246

This task depends upon

Closed by Tom Killian (tomk)
Friday, 30 November 2007, 11:51 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed in shadow 4.0.18.2-1

Comment by Aaron Griffin (phrakture) - Monday, 26 November 2007, 19:02 GMT

Task reassigned to Aaron Griffin (phrakture), Thomas Bächler (brain0), eliott (cactus)

Added some people who might be able to answer my questions.

Have you possibly done any research into this? PAM is not my forte, but I don't see any glaring differences when compared to an ubuntu box here, besides the nullok_secure stuff which is debian specific.

Ideas?

Comment by Jan M. (funkyou) - Monday, 26 November 2007, 20:04 GMT

I just read your comment at the forums and added the mentioned options to the config.

This is the only message i get when specifying a nonexistant user:

login[4780]: FAILED LOGIN (1) on 'vc/1' FOR `UNKNOWN', User not known to the underlying authentication module
login[4780]: FAILED LOGIN (2) on 'vc/1' FOR `UNKNOWN', User not known to the underlying authentication module
login[4865]: FAILED LOGIN (3) on 'vc/1' FOR `UNKNOWN', User not known to the underlying authentication module
login[4865]: FAILED LOGIN (4) on 'vc/1' FOR `UNKNOWN', User not known to the underlying authentication module

Its the same message that appears when trying it without any username (just pressing enter)

I'll try to look some more into this, but i have zero experience with pam...

Comment by Aaron Griffin (phrakture) - Monday, 26 November 2007, 20:05 GMT

Eliott mentioned to me that our password stanzas are commented out. Could you try uncommenting the password stanza in /etc/pam.d/login that uses pam_unix.so ?

Comment by Jan M. (funkyou) - Monday, 26 November 2007, 20:18 GMT

Uncommented this line in /etc/pam.d/login:

password required pam_unix.so md5 shadow use_authtok

Rebootet (just to be sure), but still no go and the same message in the logs

Comment by Tom Killian (tomk) - Tuesday, 27 November 2007, 10:23 GMT

The securetty line in /etc/pam.d/login needs to be changed from 'requisite' to 'required'. Working as expected here with that change, if someone else can confirm, that would be good.

Comment by Tom Killian (tomk) - Tuesday, 27 November 2007, 10:28 GMT

.... and reassigned to those I just robbed it from :) I'm not that greedy, really....

Comment by Jan M. (funkyou) - Tuesday, 27 November 2007, 11:42 GMT

Works for me, thanks :-)

Just for completeness, here is how my /etc/pam.d/login looks now:

#%PAM-1.0
auth required pam_securetty.so
auth requisite pam_nologin.so
auth required pam_unix.so nullok
auth required pam_tally.so onerr=succeed file=/var/log/faillog
# use this to lockout accounts for 10 minutes after 3 failed attempts
#auth required pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/var/log/faillog
account required pam_access.so
account required pam_time.so
account required pam_unix.so
#password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password required pam_unix.so md5 shadow use_authtok
session required pam_unix.so
session required pam_env.so
session required pam_motd.so
session required pam_limits.so
session optional pam_mail.so dir=/var/spool/mail standard
session optional pam_lastlog.so

Comment by Aaron Griffin (phrakture) - Tuesday, 27 November 2007, 16:33 GMT

Task reassigned to Aaron Griffin (phrakture), Tom Killian (tomk), eliott (cactus), Thomas Bächler (brain0), Tobias Powalowski (tpowa)

Lets add one more assignee!

Tpowa, could you fix this asap? It's pretty important. If not then one of us can get to it, thanks to TomK

While on the topic, I just peeked and we have like 5 dead patches in CVS - can you remove those too?

Comment by Tobias Powalowski (tpowa) - Tuesday, 27 November 2007, 19:36 GMT

could someone else look at it i have no time atm

Comment by Tom Killian (tomk) - Tuesday, 27 November 2007, 20:27 GMT

I'll do it. /etc/pam.d/login belongs to shadow, so it's a simple edit and bump.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#8742 - security flaw on console login - any username is denied directly without asking for password

Details

Loading...