Is there a fix available for CAN-2003-0190

Senthil Kumar senthilkumar_sen at hotpop.com
Wed Dec 22 18:15:02 EST 2004


Darren wrote:

>You will need to apply both patches.  The first patch
> (openbsd-sshd-kbdint-leak) affects more than PAM, it affects all other
> challenge-response authentications too so it needs wider testing.
>
> Alternatively, for 3.9p1 set "ChallengeResponseAuthentication no" and
> "PasswordAuthentication yes" in sshd_config (and restart sshd, obviously).


I tested OpenSSH-3.9p1 with the following options in sshd configuration

ChallengeResponseAuthentication `no`
KerberosAuthentication `yes`
passwordauthentication `yes`

but it shows difference in time for the appearance of password prompts for 
both valid and invalid users. The code shows PAM-password Authentication is 
not attempted when KerberosAuthentication is enabled. So by disabling 
kerberosAuthentication there is no difference in time for the appearance of 
password prompts for both valid and invalid users (ie.both cases have 
considerable amount of delay).

Thanks,
Senthil Kumar.




----- Original Message ----- 
From: "Darren Tucker" <dtucker at zip.com.au>
To: "Logu" <logsnaath at gmx.net>
Cc: <openssh-unix-dev at mindrot.org>
Sent: Tuesday, December 21, 2004 4:58 PM
Subject: Re: Is there a fix available for CAN-2003-0190


> Logu wrote:
>> Is there a fix available from openssh for the reported vulnerability
>> when pam is enabled.
>> http://www.securityfocus.com/bid/11781
>
> You will need to apply both patches.  The first patch
> (openbsd-sshd-kbdint-leak) affects more than PAM, it affects all other
> challenge-response authentications too so it needs wider testing.
>
> Alternatively, for 3.9p1 set "ChallengeResponseAuthentication no" and
> "PasswordAuthentication yes" in sshd_config (and restart sshd, obviously).
>
> -- 
> Darren Tucker (dtucker at zip.com.au)
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
>     Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.
>


--------------------------------------------------------------------------------


> Index: auth2-chall.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/auth2-chall.c,v
> retrieving revision 1.21
> diff -u -p -r1.21 auth2-chall.c
> --- auth2-chall.c 1 Jun 2004 14:20:45 -0000 1.21
> +++ auth2-chall.c 6 Jul 2004 12:13:10 -0000
> @@ -268,12 +268,9 @@ input_userauth_info_response(int type, u
>  }
>  packet_check_eom();
>
> - if (authctxt->valid) {
> - res = kbdintctxt->device->respond(kbdintctxt->ctxt,
> -     nresp, response);
> - } else {
> - res = -1;
> - }
> + res = kbdintctxt->device->respond(kbdintctxt->ctxt, nresp, response);
> + if (!authctxt->valid)
> + res = 1; /* keep going if login invalid */
>
>  for (i = 0; i < nresp; i++) {
>  memset(response[i], 'r', strlen(response[i]));
> @@ -285,7 +282,7 @@ input_userauth_info_response(int type, u
>  switch (res) {
>  case 0:
>  /* Success! */
> - authenticated = 1;
> + authenticated = authctxt->valid ? 1 : 0;
>  break;
>  case 1:
>  /* Authentication needs further interaction */
>


--------------------------------------------------------------------------------


> Index: auth-pam.c
> ===================================================================
> RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.c,v
> retrieving revision 1.118
> diff -u -p -r1.118 auth-pam.c
> --- auth-pam.c 16 Oct 2004 08:52:44 -0000 1.118
> +++ auth-pam.c 21 Dec 2004 11:23:23 -0000
> @@ -186,6 +186,7 @@ static int sshpam_account_status = -1;
> static char **sshpam_env = NULL;
> static Authctxt *sshpam_authctxt = NULL;
> static const char *sshpam_password = NULL;
> +static char badpw[] = "\b\n\r\177INCORRECT";
>
> /* Some PAM implementations don't implement this */
> #ifndef HAVE_PAM_GETENVLIST
> @@ -746,7 +747,12 @@ sshpam_respond(void *ctx, u_int num, cha
>  return (-1);
>  }
>  buffer_init(&buffer);
> - buffer_put_cstring(&buffer, *resp);
> + if (sshpam_authctxt->valid &&
> +     (sshpam_authctxt->pw->pw_uid != 0 ||
> +      options.permit_root_login == PERMIT_YES))
> + buffer_put_cstring(&buffer, *resp);
> + else
> + buffer_put_cstring(&buffer, badpw);
>  if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) {
>  buffer_free(&buffer);
>  return (-1);
> @@ -1093,7 +1099,6 @@ sshpam_auth_passwd(Authctxt *authctxt, c
> {
>  int flags = (options.permit_empty_passwd == 0 ?
>      PAM_DISALLOW_NULL_AUTHTOK : 0);
> - static char badpw[] = "\b\n\r\177INCORRECT";
>
>  if (!options.use_pam || sshpam_handle == NULL)
>  fatal("PAM: %s called when PAM disabled or failed to "
>


--------------------------------------------------------------------------------


> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.791 / Virus Database: 535 - Release Date: 11/13/2004 





More information about the openssh-unix-dev mailing list