Sending immediate PAM auth failure messages via kbd-int
Darren Tucker
dtucker at zip.com.au
Wed Jun 2 10:10:06 EST 2004
Dan Kaminsky wrote:
> Most versions of SSH1 would leak whether an account existed or not
> through high debug levels. I absolutely respect the need to have
> forced-ejection messages, but we should try to avoid this mechanism for
> information leakage. After all -- logins are encrypted, and therefore
> can't be readily noticed by an IDS.
Surprisingly, it doesn't leak account information, at least if the
nologin check is a requisite and is before the other auths. You get the
same behaviour for accounts that exist and don't exist.
It will return quicker if you let it get as far as, eg pam_unix.so, but
that is the behaviour of the current code too. (The attached patch
fixes that too, but I'm not sure if it has any side effects for non-PAM
kbdint drivers).
So, with the patch attached to this message and the one at the start of
this thread, AFAICT there's no info leaks either way.
$ ssh -o preferredauthentications=keyboard-interactive nosuch at localhost
This is /etc/nologin.
This is /etc/nologin.
This is /etc/nologin.
The auth section of the PAM stack:
auth requisite pam_nologin.so
auth requisite pam_stack.so service=system-auth
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: openssh-chall2-no-leak.patch
Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040602/e4b27f8d/attachment.ksh
More information about the openssh-unix-dev
mailing list