Pam module leaks information

Senthil Kumar senthilkumar_sen at hotpop.com
Fri Jul 22 01:01:09 EST 2005


Darren Tucker wrote:
>
> I'm not sure about HP-UX but you might need to use the "login" service.

For login service pam_authenticate returns success as sshd.

./a.out -u senthil -s login
$Id: pam-test-harness.c,v 1.24 2005/07/18 14:10:35 dtucker Exp $
conversation struct {conv=0x4001900, appdata_ptr=0x400006cc}
pam_start(login, senthil, &conv, &pamh) = 0 (Success)
pam_set_item(pamh, PAM_TTY, "/dev/pts/ta") = 0 (Success)
pam_set_item(pamh, PAM_RHOST, "pluto") = 0 (Success)
pam_set_item(pamh, PAM_RUSER, "root") = 0 (Success)
pam_authenticate(pamh, 0)
   conversation called with 1 messages data 0x400006cc
        PROMPT_ECHO_OFF: Password: correct passwd  (no time delay)
  = 0 (Success)
pam_acct_mgmt(pamh, 0) = 7 (Permission denied)
pam_end(pamh, 0) = 0 (Success)

But with wrong pass there is a delay.

>
> PAM is behaving differently in these cases, either because the service
> configuration is different or your PAM module is doing some kind of
> magic.  (note that in the sshd case, the authentication succeeds but the
> account check fails, whereas in the telnetd case the authentication 
> fails).

I double checked by PAM configuration and they seems OK.

>
> You said earlier password auth exhibits the delay as expected, can you
> confirm that?

No I told its for telnet where it exhibits delay and close the connection 
but for sshd it closes immediately for password auth.
Here goes what is happening in my system,

With challengeresponse:
ssh -l senthil localhost
Password:      (correct pass) no delay
Password:      (wrong pass) delay
Password:      (correct pass) no delay

Without challengeresponse:
ssh -l senthil localhost
senthil at localhost's password: (correct pass) no delay
Connection closed by 127.0.0.1

ssh -l senthil localhost -p 1111
senthil at localhost's password: (wrong pass) delay.

Thanks,
Senthil Kumar.







More information about the openssh-unix-dev mailing list