Pam module leaks information
Senthil Kumar
senthilkumar_sen at hotpop.com
Mon Jul 18 20:32:54 EST 2005
Darren wrote:
> Senthil Kumar wrote:
>> Im using OpenSSH 4.1 with a proprietary pam module. This module does
>> allow
>> or deny access to the accound based on a policy file settings. Now if I
>> deny
>> the access to an account and attempt to connect to the sshd server for
>> that
>> account with valid password, it quickly returns to next prompt. When I
>> try
>> it with invalid password, it took some time to return to next prompt. Im
>> wondering if this kind of behaviour will lead to information leak on
>> password validity. Should I need to contact the author of this module to
>> compensate the difference in timing factor.
>
> I'm not aware of any remaining timing info leaks in the PAM code in
> OpenSSH 4.1p1 (we spent some time a while back stomping them out) but if
> there are any left then they ought to be found and fixed.
>
> That said, it sounds like your module is the source of the timing
> discrepancy. Does it behave the same way with other PAM apps?
When I test this module with telnet with valid password entered they close
the conn. With invalid passwd they prompt for password after some delay. The
same behaviour happens for password auth. with sshd. With challengeresponse,
for valid password it return quickly to next prompt and with invalid
password it took some time.
>
> What platform is this? On Linux, you may have to explicitly set
> pam_fail_delay (eg with this module:
> http://www.zip.com.au/~dtucker/patches/#pam_faildelay).
>
This happens in hpux.
Thanks,
Senthil Kumar.
More information about the openssh-unix-dev
mailing list