Pam module leaks information
Darren Tucker
dtucker at zip.com.au
Mon Jul 18 14:14:24 EST 2005
Senthil Kumar wrote:
> Im using OpenSSH 4.1 with a proprietary pam module. This module does allow
> or deny access to the accound based on a policy file settings. Now if I deny
> the access to an account and attempt to connect to the sshd server for that
> account with valid password, it quickly returns to next prompt. When I try
> it with invalid password, it took some time to return to next prompt. Im
> wondering if this kind of behaviour will lead to information leak on
> password validity. Should I need to contact the author of this module to
> compensate the difference in timing factor.
I'm not aware of any remaining timing info leaks in the PAM code in
OpenSSH 4.1p1 (we spent some time a while back stomping them out) but if
there are any left then they ought to be found and fixed.
That said, it sounds like your module is the source of the timing
discrepancy. Does it behave the same way with other PAM apps?
What platform is this? On Linux, you may have to explicitly set
pam_fail_delay (eg with this module:
http://www.zip.com.au/~dtucker/patches/#pam_faildelay).
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list