Re: opensmtpd logs attempted password on failed login auth

Fri, 15 May 2015 00:38:27 -0700 

On Thu, May 14, 2015 at 09:47:09PM +0200, [email protected] wrote:
> >Synopsis:    opensmtpd logs attempted password on failed login auth
> >Category:    user
> >Environment:
>       System      : OpenBSD 5.7
>       Details     : OpenBSD 5.7 (GENERIC) #825: Sun Mar  8 10:59:14 MDT 2015
>                        
> [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC
> 
>       Architecture: OpenBSD.amd64
>       Machine     : amd64
> >Description:
>       AUTH LOGIN in the SMTP dialog goes like this (base64 annotated in 
> brackets):
>          ~> AUTH LOGIN
>         <~  334 VXNlcm5hbWU6 [Username:]
>          ~> cGhpbEBwaGlsa2Vybi5kZQ== [[email protected]]
>         <~  334 UGFzc3dvcmQ6 [Password:]
>          ~> Zm9vYmFy [foobar]
>         <~* 535 Authentication failed
>         If authentication fails smtpd logs this:
>          smtp-in: Failed command on session 6b09411cc0bac11b: "Zm9vYmFy" => 
> 535 Authentication failed
>         This is somewhat unhelpful as the only obfuscation is base64. Instead 
> it
>         should not be printed in the first place, as it is not a command but
>         rather a reply. I can find a bunch of mailing list posts where people
>         leaked their passwords because they didn't know that the obfuscated
>         blob printed contained it. But even that aside: If it's slightly
>         misspelt it will be persisted on disk while the live credential will
>         be stored as a hash.
> >How-To-Repeat:
>       Try authentication with any invalid user/password combination, e.g.
>         with swaks.
> >Fix:
>       Do not print the last "command" in an AUTH LOGIN conversation.
> 

Indeed.

The code to hide the credentials was there but it could only work for
the AUTH PLAIN case, I have reworked it so now it uses session states
and not last command to determine if it has to hide. This way when we
implement new methods, it won't bite us again.

With what I committed, AUTH PLAIN now produces:

     smtp-in: Started TLS on session 01f7c7db82b5bd69: version=TLSv1/SSLv3, 
cipher=ECDHE-RSA-CHACHA20-POLY1305, bits=256
     smtp-in: Authentication failed for user gilles on session 01f7c7db82b5bd69
     smtp-in: Failed command on session 01f7c7db82b5bd69: "AUTH PLAIN (...)" => 
535 Authentication failed

Whereas AUTH LOGIN produces:

smtp-in: Started TLS on session eef55fd1570cd04b: version=TLSv1/SSLv3, 
cipher=ECDHE-RSA-CHACHA20-POLY1305, bits=256
smtp-in: Failed command on session eef55fd1570cd04b: "AUTH LOGIN (username)" => 
501 5.5.2 Syntax error: Syntax error

or

smtp-in: Started TLS on session 748dd2c20742fedb: version=TLSv1/SSLv3, 
cipher=ECDHE-RSA-CHACHA20-POLY1305, bits=256
smtp-in: Authentication failed for user gilles on session 748dd2c20742fedb
smtp-in: Failed command on session 748dd2c20742fedb: "AUTH LOGIN (password)" => 
535 Authentication failed

depending on when the error triggered during the AUTH LOGIN session.

Thanks for your report


-- 
Gilles Chehade

https://www.poolp.org                                          @poolpOrg

Reply via email to