Package: vlock
Version: 1.3-8
Severity: normal
I'm not entirely clear whether this bug should be a vlock bug or a
libpam-opensc bug. Since i only see the behavior directly in vlock,
however (neither xscreensaver nor login leak this information), this
makes me think it's a vlock problem and not a libpam-opensc problem.
when i use vlock with libpam-opensc, if the passphrase given is a
different length than the user's actual passphrase, vlock actually
reports that information in the error messages.
i'm running a patched version of vlock right now (see bug #318507),
but even if i run a vanilla 1.3-8 vlock (from an unpacked deb), i get
the same error messages printed to the console.
Here's a transcript of such an interaction (using vlock 1.3-8):
[EMAIL PROTECTED] ~]$ src/vlock/clean-deb/root/usr/bin/vlock
This TTY is now locked.
Use Alt-function keys to switch to other virtual consoles.
Please enter the password to unlock.
dkg's Using card reader Schlumberger E-Gate
Enter PIN1 [dkg]:
sc_pkcs15_verify_pin: Invalid PIN length
root's Using card reader Schlumberger E-Gate
Enter PIN1 [dkg]:
No such user, .eid dir unreadable, nonexistent or unsafe.
*** That password is incorrect; please try again. ***
This TTY is now locked.
Use Alt-function keys to switch to other virtual consoles.
Please enter the password to unlock.
dkg's Using card reader Schlumberger E-Gate
Enter PIN1 [dkg]:
[EMAIL PROTECTED] ~]$ src/vlock/clean-deb/root/usr/bin/vlock
This TTY is now locked.
Use Alt-function keys to switch to other virtual consoles.
Please enter the password to unlock.
dkg's Using card reader Schlumberger E-Gate
Enter PIN1 [dkg]:
sec.c:204:sc_pin_cmd: returning with: PIN code or key incorrect
sc_pkcs15_verify_pin: PIN code or key incorrect
root's Using card reader Schlumberger E-Gate
Enter PIN1 [dkg]:
No such user, .eid dir unreadable, nonexistent or unsafe.
*** That password is incorrect; please try again. ***
This TTY is now locked.
Use Alt-function keys to switch to other virtual consoles.
Please enter the password to unlock.
dkg's Using card reader Schlumberger E-Gate
Enter PIN1 [dkg]:
[EMAIL PROTECTED] ~]$
(ignore the failures for authenticating against root: root
deliberately can't authenticate with libpam-opensc on this system, so
i just pressed enter there, and didn't bother supplying a passphrase).
For the first failure i deliberately chose a passphrase of different
length than the actual PIN on the card. That yields the following
error:
sc_pkcs15_verify_pin: Invalid PIN length
i then authenticated correctly, and locked again.
For the second vlock auth failure, i deliberately chose a wrong
passphrase that has the same character count as the actual PIN on the
card. This results instead with two lines of printed error:
sec.c:204:sc_pin_cmd: returning with: PIN code or key incorrect
sc_pkcs15_verify_pin: PIN code or key incorrect
so what i'm seeing here is that vlock is leaking information about the
length of the passphrase when this PAM module is in use.
Please let me know if i can provide any more information about my
system, run any tests, etc.
Thanks for looking into this,
--dkg
additional info about my system:
[EMAIL PROTECTED] tmp]$ cat /etc/pam.d/vlock
#%PAM-1.0
@include common-auth
#auth required pam_unix.so
#auth required pam_nologin.so
[EMAIL PROTECTED] tmp]$ cat /etc/pam.d/common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# auth required pam_unix.so nullok_secure
auth required pam_opensc.so
[EMAIL PROTECTED] tmp]$ dpkg -l libpam-opensc
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name Version Description
+++-==============-==============-============================================
ii libpam-opensc 0.9.6-3 Pluggable Authentication Module for using PK
[EMAIL PROTECTED] tmp]$
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (700, 'testing'), (700, 'stable'), (600, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages vlock depends on:
ii libc6 2.3.5-8 GNU C Library: Shared libraries an
ii libpam0g 0.79-3 Pluggable Authentication Modules l
vlock recommends no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
