I have a shell user who is able to login to his accounts via sshd on FreeBSD
8.2 using any password. The user had a .ssh/id_rsa and .ssh/id_rsa.pub key pair
without a password but nullok was not specified, so I think this should be
considered a bug.
During diagnosis, /etc/pam.d/sshd was configured for authentication using:
-------------
auth required pam_ssh.so no_warn try_first_pass
-------------
I enabled _openpam_debug in pam_ssh and found this during a login via sshd to
the user's account:
-------------
Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_ssh_load_key(): failed to load
key from /home/targetuser/.ssh/identity
Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_ssh_load_key(): loaded
'/home/targetuser/.ssh/id_rsa' from /home/targetuser/.ssh/id_rsa
Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_ssh_load_key(): failed to load
key from /home/targetuser/.ssh/id_dsa
Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_sm_acct_mgmt(): Got user:
targetuser
Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_sm_acct_mgmt(): Got user:
targetuser
Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_sm_acct_mgmt(): Checking
login.access for user targetuser from host 172.16.1.240
Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_sm_acct_mgmt(): Got user:
targetuser
Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_sm_acct_mgmt(): Got login_cap
-------------
The view from the client machine during the login:
-------------
client:/usr/src/lib/libpam/modules/pam_ssh (557) ssh targetuser@fbsd8-i386
SSH passphrase:
Last login: Tue Nov 15 08:39:28 2011 from 172.16.2.218
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 8.2-RC3 (GENERIC) #0: Sat Jan 29 19:26:23 CST 2011
-------------
So, it asked for the target user's passphrase and successfully authenticated
with any password. I understand what happened but I'm rather astonished by the
result - I would not have expected pam_ssh to have succeeded on a passwordless
key file when a password was required in the pam configuration file, based on
the pam_ssh.8 man page:
nullok Normally, keys with no passphrase are ignored for authen-
tication purposes. If this option is set, keys with no
passphrase will be taken into consideration, allowing the
user to log in with a blank password.
Thoughts?
Thanks,
Guy Helmer
--------
This message has been scanned by ComplianceSafe, powered by Palisade's
PacketSure.
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[email protected]"
