Pam module leaks information
Darren Tucker
dtucker at zip.com.au
Wed Jul 20 12:10:55 EST 2005
Senthil Kumar wrote:
> When I run the PAM test harness with sshd and telnet I got diff. results
> and its given below,
> with sshd:
> ./a.out -u senthil -s sshd
> $Id: pam-test-harness.c,v 1.24 2005/07/18 14:10:35 dtucker Exp $
> conversation struct {conv=0x4001900, appdata_ptr=0x400006cc}
> pam_start(sshd, senthil, &conv, &pamh) = 0 (Success)
> pam_set_item(pamh, PAM_TTY, "/dev/pts/ta") = 0 (Success)
> pam_set_item(pamh, PAM_RHOST, "pluto") = 0 (Success)
> pam_set_item(pamh, PAM_RUSER, "root") = 0 (Success)
> pam_authenticate(pamh, 0)
> conversation called with 1 messages data 0x400006cc
> PROMPT_ECHO_OFF: Password: correct password (No Time delay)
> conversation called with 1 messages data 0x400006cc
> ERROR_MSG: Your password will expire on Wed Jul 20 17:53:18 GMT 2005
> = 0 (Success)
> pam_acct_mgmt(pamh, 0) = 7 (Permission denied)
> pam_end(pamh, 0) = 0 (Success)
>
> with telnet:
> ./a.out -u senthil -s telnetd
I'm not sure about HP-UX but you might need to use the "login" service.
> $Id: pam-test-harness.c,v 1.24 2005/07/18 14:10:35 dtucker Exp $
> conversation struct {conv=0x4001900, appdata_ptr=0x400006cc}
> pam_start(telnetd, senthil, &conv, &pamh) = 0 (Success)
> pam_set_item(pamh, PAM_TTY, "/dev/pts/ta") = 0 (Success)
> pam_set_item(pamh, PAM_RHOST, "pluto") = 0 (Success)
> pam_set_item(pamh, PAM_RUSER, "root") = 0 (Success)
> pam_authenticate(pamh, 0)
> conversation called with 1 messages data 0x400006cc
> PROMPT_ECHO_OFF: Password: correct password. (Time delay)
> = 9 (Authentication failed)
> pam_end(pamh, 0) = 0 (Success)
PAM is behaving differently in these cases, either because the service
configuration is different or your PAM module is doing some kind of
magic. (note that in the sshd case, the authentication succeeds but the
account check fails, whereas in the telnetd case the authentication fails).
You said earlier password auth exhibits the delay as expected, can you
confirm that?
The output from "pam-test-harness -s sshd" is consistent with what
you're observing in keyboard-interactive, ie there's no delay because
PAM isn't inserting one. If password auth isn't behaving the same way
(remembering that it uses the same PAM service name) then I have no idea
what's going on...
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list