On Nov 15, 2011, at 3:12 PM, Dag-Erling Smørgrav wrote: > Guy Helmer <[email protected]> writes: >> I have a shell user who is able to login to his accounts via sshd on >> FreeBSD 8.2 using any password. The user had a .ssh/id_rsa and >> .ssh/id_rsa.pub key pair without a password but nullok was not >> specified, so I think this should be considered a bug. > > It turns out that this goes all the way to OpenSSL, which ignores the > passphrase if the key is not encrypted. The only solution I can think > of - more of a workaround, really - is to first try to load the key with > an empty passphrase, and skip the key if that worked. See the attached > (untested) patch. > > A more advanced patch would load all keys but require at least one of > them to have a passphrase. > > DES > -- > Dag-Erling Smørgrav - [email protected] > > <pam_ssh_nullok.diff>
Yes, that patch applied OK to the 8.2 test machine and resolved the issue with the unencrypted id_rsa private key. I didn't know of any other way to check the key either - nothing jumped out at me from the OpenSSL API documentation. Thanks for the quick turnaround, Guy -------- This message has been scanned by ComplianceSafe, powered by Palisade's PacketSure. _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
