Is there a fix available for CAN-2003-0190

Senthil Kumar senthilkumar_sen at hotpop.com
Wed Dec 22 21:20:52 EST 2004 

Hi,

I tried the following  workaround in auth-krb5.c to overcome the difference 
in appearance of delay in password prompts for valid and in valid users in 
OpenSSH-3.9p1.

diff auth-krb5.c auth-krb5.c-fix
78,79d77
<       if (!authctxt->valid)
<               return (0);
80a79,81
>          if (!authctxt->valid)
>            ;;

With this, there is no difference in time delay for appearance of password 
prompts for both valid and in valid users with the following options in sshd 
configuration.

ChallengeResponseAuthentication `no`
 KerberosAuthentication `yes`
 passwordauthentication `yes`

Will there be any problem with this approach? Is it necessary to have this 
invalid user checking or will there be any impact if  I remove this check 
altogether?

Thanks,
Senthil Kumar.




----- Original Message ----- 
From: "Senthil Kumar" <senthilkumar_sen at hotpop.com>
To: "Darren Tucker" <dtucker at zip.com.au>
Cc: <openssh-unix-dev at mindrot.org>
Sent: Wednesday, December 22, 2004 12:45 PM
Subject: Re: Is there a fix available for CAN-2003-0190


> Darren wrote:
>
>>You will need to apply both patches.  The first patch
>> (openbsd-sshd-kbdint-leak) affects more than PAM, it affects all other
>> challenge-response authentications too so it needs wider testing.
>>
>> Alternatively, for 3.9p1 set "ChallengeResponseAuthentication no" and
>> "PasswordAuthentication yes" in sshd_config (and restart sshd, 
>> obviously).
>
>
> I tested OpenSSH-3.9p1 with the following options in sshd configuration
>
> ChallengeResponseAuthentication `no`
> KerberosAuthentication `yes`
> passwordauthentication `yes`
>
> but it shows difference in time for the appearance of password prompts for 
> both valid and invalid users. The code shows PAM-password Authentication 
> is not attempted when KerberosAuthentication is enabled. So by disabling 
> kerberosAuthentication there is no difference in time for the appearance 
> of password prompts for both valid and invalid users (ie.both cases have 
> considerable amount of delay).
>
> Thanks,
> Senthil Kumar.
>
>
>
>
> ----- Original Message ----- 
> From: "Darren Tucker" <dtucker at zip.com.au>
> To: "Logu" <logsnaath at gmx.net>
> Cc: <openssh-unix-dev at mindrot.org>
> Sent: Tuesday, December 21, 2004 4:58 PM
> Subject: Re: Is there a fix available for CAN-2003-0190
>
>
>> Logu wrote:
>>> Is there a fix available from openssh for the reported vulnerability
>>> when pam is enabled.
>>> http://www.securityfocus.com/bid/11781
>>
>> You will need to apply both patches.  The first patch
>> (openbsd-sshd-kbdint-leak) affects more than PAM, it affects all other
>> challenge-response authentications too so it needs wider testing.
>>
>> Alternatively, for 3.9p1 set "ChallengeResponseAuthentication no" and
>> "PasswordAuthentication yes" in sshd_config (and restart sshd, 
>> obviously).
>>
>> -- 
>> Darren Tucker (dtucker at zip.com.au)
>> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
>>     Good judgement comes with experience. Unfortunately, the experience
>> usually comes from bad judgement.
>>
>
>
> --------------------------------------------------------------------------------
>
>
>> Index: auth2-chall.c
>> ===================================================================
>> RCS file: /cvs/src/usr.bin/ssh/auth2-chall.c,v
>> retrieving revision 1.21
>> diff -u -p -r1.21 auth2-chall.c
>> --- auth2-chall.c 1 Jun 2004 14:20:45 -0000 1.21
>> +++ auth2-chall.c 6 Jul 2004 12:13:10 -0000
>> @@ -268,12 +268,9 @@ input_userauth_info_response(int type, u
>>  }
>>  packet_check_eom();
>>
>> - if (authctxt->valid) {
>> - res = kbdintctxt->device->respond(kbdintctxt->ctxt,
>> -     nresp, response);
>> - } else {
>> - res = -1;
>> - }
>> + res = kbdintctxt->device->respond(kbdintctxt->ctxt, nresp, response);
>> + if (!authctxt->valid)
>> + res = 1; /* keep going if login invalid */
>>
>>  for (i = 0; i < nresp; i++) {
>>  memset(response[i], 'r', strlen(response[i]));
>> @@ -285,7 +282,7 @@ input_userauth_info_response(int type, u
>>  switch (res) {
>>  case 0:
>>  /* Success! */
>> - authenticated = 1;
>> + authenticated = authctxt->valid ? 1 : 0;
>>  break;
>>  case 1:
>>  /* Authentication needs further interaction */
>>
>
>
> --------------------------------------------------------------------------------
>
>
>> Index: auth-pam.c
>> ===================================================================
>> RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.c,v
>> retrieving revision 1.118
>> diff -u -p -r1.118 auth-pam.c
>> --- auth-pam.c 16 Oct 2004 08:52:44 -0000 1.118
>> +++ auth-pam.c 21 Dec 2004 11:23:23 -0000
>> @@ -186,6 +186,7 @@ static int sshpam_account_status = -1;
>> static char **sshpam_env = NULL;
>> static Authctxt *sshpam_authctxt = NULL;
>> static const char *sshpam_password = NULL;
>> +static char badpw[] = "\b\n\r\177INCORRECT";
>>
>> /* Some PAM implementations don't implement this */
>> #ifndef HAVE_PAM_GETENVLIST
>> @@ -746,7 +747,12 @@ sshpam_respond(void *ctx, u_int num, cha
>>  return (-1);
>>  }
>>  buffer_init(&buffer);
>> - buffer_put_cstring(&buffer, *resp);
>> + if (sshpam_authctxt->valid &&
>> +     (sshpam_authctxt->pw->pw_uid != 0 ||
>> +      options.permit_root_login == PERMIT_YES))
>> + buffer_put_cstring(&buffer, *resp);
>> + else
>> + buffer_put_cstring(&buffer, badpw);
>>  if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) {
>>  buffer_free(&buffer);
>>  return (-1);
>> @@ -1093,7 +1099,6 @@ sshpam_auth_passwd(Authctxt *authctxt, c
>> {
>>  int flags = (options.permit_empty_passwd == 0 ?
>>      PAM_DISALLOW_NULL_AUTHTOK : 0);
>> - static char badpw[] = "\b\n\r\177INCORRECT";
>>
>>  if (!options.use_pam || sshpam_handle == NULL)
>>  fatal("PAM: %s called when PAM disabled or failed to "
>>
>
>
> --------------------------------------------------------------------------------
>
>
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>>
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.791 / Virus Database: 535 - Release Date: 11/13/2004
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.791 / Virus Database: 535 - Release Date: 11/13/2004

More information about the openssh-unix-dev mailing list