Is there a fix available for CAN-2003-0190
Senthil Kumar
senthilkumar_sen at hotpop.com
Wed Dec 22 21:20:52 EST 2004
Hi,
I tried the following workaround in auth-krb5.c to overcome the difference
in appearance of delay in password prompts for valid and in valid users in
OpenSSH-3.9p1.
diff auth-krb5.c auth-krb5.c-fix
78,79d77
< if (!authctxt->valid)
< return (0);
80a79,81
> if (!authctxt->valid)
> ;;
With this, there is no difference in time delay for appearance of password
prompts for both valid and in valid users with the following options in sshd
configuration.
ChallengeResponseAuthentication `no`
KerberosAuthentication `yes`
passwordauthentication `yes`
Will there be any problem with this approach? Is it necessary to have this
invalid user checking or will there be any impact if I remove this check
altogether?
Thanks,
Senthil Kumar.
----- Original Message -----
From: "Senthil Kumar" <senthilkumar_sen at hotpop.com>
To: "Darren Tucker" <dtucker at zip.com.au>
Cc: <openssh-unix-dev at mindrot.org>
Sent: Wednesday, December 22, 2004 12:45 PM
Subject: Re: Is there a fix available for CAN-2003-0190
> Darren wrote:
>
>>You will need to apply both patches. The first patch
>> (openbsd-sshd-kbdint-leak) affects more than PAM, it affects all other
>> challenge-response authentications too so it needs wider testing.
>>
>> Alternatively, for 3.9p1 set "ChallengeResponseAuthentication no" and
>> "PasswordAuthentication yes" in sshd_config (and restart sshd,
>> obviously).
>
>
> I tested OpenSSH-3.9p1 with the following options in sshd configuration
>
> ChallengeResponseAuthentication `no`
> KerberosAuthentication `yes`
> passwordauthentication `yes`
>
> but it shows difference in time for the appearance of password prompts for
> both valid and invalid users. The code shows PAM-password Authentication
> is not attempted when KerberosAuthentication is enabled. So by disabling
> kerberosAuthentication there is no difference in time for the appearance
> of password prompts for both valid and invalid users (ie.both cases have
> considerable amount of delay).
>
> Thanks,
> Senthil Kumar.
>
>
>
>
> ----- Original Message -----
> From: "Darren Tucker" <dtucker at zip.com.au>
> To: "Logu" <logsnaath at gmx.net>
> Cc: <openssh-unix-dev at mindrot.org>
> Sent: Tuesday, December 21, 2004 4:58 PM
> Subject: Re: Is there a fix available for CAN-2003-0190
>
>
>> Logu wrote:
>>> Is there a fix available from openssh for the reported vulnerability
>>> when pam is enabled.
>>> http://www.securityfocus.com/bid/11781
>>
>> You will need to apply both patches. The first patch
>> (openbsd-sshd-kbdint-leak) affects more than PAM, it affects all other
>> challenge-response authentications too so it needs wider testing.
>>
>> Alternatively, for 3.9p1 set "ChallengeResponseAuthentication no" and
>> "PasswordAuthentication yes" in sshd_config (and restart sshd,
>> obviously).
>>
>> --
>> Darren Tucker (dtucker at zip.com.au)
>> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
>> Good judgement comes with experience. Unfortunately, the experience
>> usually comes from bad judgement.
>>
>
>
> --------------------------------------------------------------------------------
>
>
>> Index: auth2-chall.c
>> ===================================================================
>> RCS file: /cvs/src/usr.bin/ssh/auth2-chall.c,v
>> retrieving revision 1.21
>> diff -u -p -r1.21 auth2-chall.c
>> --- auth2-chall.c 1 Jun 2004 14:20:45 -0000 1.21
>> +++ auth2-chall.c 6 Jul 2004 12:13:10 -0000
>> @@ -268,12 +268,9 @@ input_userauth_info_response(int type, u
>> }
>> packet_check_eom();
>>
>> - if (authctxt->valid) {
>> - res = kbdintctxt->device->respond(kbdintctxt->ctxt,
>> - nresp, response);
>> - } else {
>> - res = -1;
>> - }
>> + res = kbdintctxt->device->respond(kbdintctxt->ctxt, nresp, response);
>> + if (!authctxt->valid)
>> + res = 1; /* keep going if login invalid */
>>
>> for (i = 0; i < nresp; i++) {
>> memset(response[i], 'r', strlen(response[i]));
>> @@ -285,7 +282,7 @@ input_userauth_info_response(int type, u
>> switch (res) {
>> case 0:
>> /* Success! */
>> - authenticated = 1;
>> + authenticated = authctxt->valid ? 1 : 0;
>> break;
>> case 1:
>> /* Authentication needs further interaction */
>>
>
>
> --------------------------------------------------------------------------------
>
>
>> Index: auth-pam.c
>> ===================================================================
>> RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.c,v
>> retrieving revision 1.118
>> diff -u -p -r1.118 auth-pam.c
>> --- auth-pam.c 16 Oct 2004 08:52:44 -0000 1.118
>> +++ auth-pam.c 21 Dec 2004 11:23:23 -0000
>> @@ -186,6 +186,7 @@ static int sshpam_account_status = -1;
>> static char **sshpam_env = NULL;
>> static Authctxt *sshpam_authctxt = NULL;
>> static const char *sshpam_password = NULL;
>> +static char badpw[] = "\b\n\r\177INCORRECT";
>>
>> /* Some PAM implementations don't implement this */
>> #ifndef HAVE_PAM_GETENVLIST
>> @@ -746,7 +747,12 @@ sshpam_respond(void *ctx, u_int num, cha
>> return (-1);
>> }
>> buffer_init(&buffer);
>> - buffer_put_cstring(&buffer, *resp);
>> + if (sshpam_authctxt->valid &&
>> + (sshpam_authctxt->pw->pw_uid != 0 ||
>> + options.permit_root_login == PERMIT_YES))
>> + buffer_put_cstring(&buffer, *resp);
>> + else
>> + buffer_put_cstring(&buffer, badpw);
>> if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) {
>> buffer_free(&buffer);
>> return (-1);
>> @@ -1093,7 +1099,6 @@ sshpam_auth_passwd(Authctxt *authctxt, c
>> {
>> int flags = (options.permit_empty_passwd == 0 ?
>> PAM_DISALLOW_NULL_AUTHTOK : 0);
>> - static char badpw[] = "\b\n\r\177INCORRECT";
>>
>> if (!options.use_pam || sshpam_handle == NULL)
>> fatal("PAM: %s called when PAM disabled or failed to "
>>
>
>
> --------------------------------------------------------------------------------
>
>
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>>
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.791 / Virus Database: 535 - Release Date: 11/13/2004
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.791 / Virus Database: 535 - Release Date: 11/13/2004
More information about the openssh-unix-dev
mailing list