>Synopsis: opensmtpd logs attempted password on failed login auth
>Category: user
>Environment:
System : OpenBSD 5.7
Details : OpenBSD 5.7 (GENERIC) #825: Sun Mar 8 10:59:14 MDT 2015
[email protected]:/usr/src/sys/arch/amd64/compile/GENERIC
Architecture: OpenBSD.amd64
Machine : amd64
>Description:
AUTH LOGIN in the SMTP dialog goes like this (base64 annotated in
brackets):
~> AUTH LOGIN
<~ 334 VXNlcm5hbWU6 [Username:]
~> cGhpbEBwaGlsa2Vybi5kZQ== [[email protected]]
<~ 334 UGFzc3dvcmQ6 [Password:]
~> Zm9vYmFy [foobar]
<~* 535 Authentication failed
If authentication fails smtpd logs this:
smtp-in: Failed command on session 6b09411cc0bac11b: "Zm9vYmFy" => 535
Authentication failed
This is somewhat unhelpful as the only obfuscation is base64. Instead it
should not be printed in the first place, as it is not a command but
rather a reply. I can find a bunch of mailing list posts where people
leaked their passwords because they didn't know that the obfuscated
blob printed contained it. But even that aside: If it's slightly
misspelt it will be persisted on disk while the live credential will
be stored as a hash.
>How-To-Repeat:
Try authentication with any invalid user/password combination, e.g.
with swaks.
>Fix:
Do not print the last "command" in an AUTH LOGIN conversation.
