Bug#325351: marked as done (libpam-ssh: pam-ssh without common-auth for authentication authorize to login with wrong password)

[Debian Bug Tracking System]

Your message dated Sun, 21 Dec 2008 19:47:08 +0000
with message-id <e1leuga-0002ge...@ries.debian.org>
and subject line Bug#325351: fixed in libpam-ssh 1.92-4
has caused the Debian Bug report #325351,
regarding libpam-ssh: pam-ssh without common-auth for authentication authorize 
to login with wrong password
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
325351: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=325351
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libpam-ssh
Version: 1.91.0-9
Severity: grave
Tags: security
Justification: user security hole

Bonjour,

I want to use only pam-ssh to login on my comptuter. So I modify the
login pam file and comment @include common-auth.

Here is a part of my /etc/pam.d/login

# Disallows root logins except on tty's listed in /etc/securetty
# (Replaces the `CONSOLE' setting from login.defs)
auth       requisite  pam_securetty.so

# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
auth       requisite  pam_nologin.so

# This module parses /etc/environment (the standard for setting
# environ vars) and also allows you to use an extended config
# file /etc/security/pam_env.conf.
# (Replaces the `ENVIRON_FILE' setting from login.defs)
auth       required   pam_env.so

# Standard Un*x authentication.
@include pam-ssh-auth
#...@include common-auth

# This allows certain extra groups to be granted to a user
# based on things like time of day, tty, service, and user.
# Please uncomment and edit /etc/security/group.conf if you
# wish to use this.
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
# auth       optional   pam_group.so

# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on logins.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account    requisite  pam_time.so

# Uncomment and edit /etc/security/access.conf if you need to
# set access limits.
# (Replaces /etc/login.access file)
# account  required       pam_access.so

# Standard Un*x account and session
@include common-account
@include common-session
@include pam-ssh-session


With this configuration, I can login with the wrong or null passphrase.
 If I want to only user pam-ssh-auth, I need to modify
/etc/pam.d/pam-ssh-auth and replace sufficient by required. It is very
easy to insert a security hole in your system.

Salutations,

Sylvain

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12
Locale: lang=fr...@euro, lc_ctype=fr...@euro (charmap=ISO-8859-15)

Versions of packages libpam-ssh depends on:
ii  libc6                         2.3.5-4    GNU C Library: Shared libraries an
ii  libpam0g                      0.76-23    Pluggable Authentication Modules l
ii  libssl0.9.7                   0.9.7g-1   SSL shared libraries

Versions of packages libpam-ssh recommends:
ii  ssh                           1:4.1p1-6  Secure shell client and server (tr

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: libpam-ssh
Source-Version: 1.92-4

We believe that the bug you reported is fixed in the latest version of
libpam-ssh, which is due to be installed in the Debian FTP archive:

libpam-ssh_1.92-4.diff.gz
  to pool/main/libp/libpam-ssh/libpam-ssh_1.92-4.diff.gz
libpam-ssh_1.92-4.dsc
  to pool/main/libp/libpam-ssh/libpam-ssh_1.92-4.dsc
libpam-ssh_1.92-4_i386.deb
  to pool/main/libp/libpam-ssh/libpam-ssh_1.92-4_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 325...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jens Peter Secher <j...@debian.org> (supplier of updated libpam-ssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 21 Dec 2008 00:00:48 +0100
Source: libpam-ssh
Binary: libpam-ssh
Architecture: source i386
Version: 1.92-4
Distribution: experimental
Urgency: low
Maintainer: Jens Peter Secher <j...@debian.org>
Changed-By: Jens Peter Secher <j...@debian.org>
Description: 
 libpam-ssh - Single sign-on via private SSH key
Closes: 325351
Changes: 
 libpam-ssh (1.92-4) experimental; urgency=low
 .
   * Make detection of SSH login keys use standard file operation, thanks
     to Luca Niccoli and Steve McIntyre.
   * Do not ship any ssh-auth or ssh-session files in /etc/pam.d because it
     is just as easy and more flexible to add the lines directly in the
     relevant PAM configuration files, thanks to Sylvain Collilieux and
     Steve Langasek.
     (Closes: #325351)
Checksums-Sha1: 
 ec29d16e78ce47977668696bd4e087da342795b9 1207 libpam-ssh_1.92-4.dsc
 d13fea0ad13da11cb478061f775cdcd276d9db1e 17342 libpam-ssh_1.92-4.diff.gz
 67513eca6a6d10450dcf6cb4d8646dfe27b38c32 50504 libpam-ssh_1.92-4_i386.deb
Checksums-Sha256: 
 3992dfb4d0216fdbf68a42edd255e6abcc956702672fd1fb2569a9cf39983b46 1207 
libpam-ssh_1.92-4.dsc
 69f69c0ae9185d38a0b0c1e5c0881646c4e18a613b30bab89bd0ca70fabcc3b6 17342 
libpam-ssh_1.92-4.diff.gz
 21f87bfe45b9e98f427fcce48a6eb300e1ac3e7f458948366b615d8b4f6304ff 50504 
libpam-ssh_1.92-4_i386.deb
Files: 
 561c2deff8b6b13a74d4b5f23a967a8f 1207 admin optional libpam-ssh_1.92-4.dsc
 bf39ff3c58227dcea0c4db12a9519f97 17342 admin optional libpam-ssh_1.92-4.diff.gz
 b10522865a686dec3647077babca2de1 50504 admin optional 
libpam-ssh_1.92-4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iJwEAQECAAYFAklOmnEACgkQiFVdEFPVQL+N5AQAooC4lVgktVOlS8lo6iE+AcrQ
yNnc0IAfG/OXQ6Wm24nSgUiQYBsWP6LW94/mCEXj6QxQO60vcQl3ljdSS5zbE1ld
LAXIfU7LHZUr8BR5EVhj3dnIdaQi/0wXouRXJGYo3+KmQ+QoeAMzrVdzA6so5wrY
8+GbXJDOiWBMwJokc6A=
=bNbU
-----END PGP SIGNATURE-----

--- End Message ---