Bug#531341: prints login incorrect without asking for password when entering an invalid login
Hello Steve, On Wed, Sep 02, 2009 at 01:32:17AM -0700, Steve Langasek wrote: * debian/login.pam: pam_securetty included as a required module instead of requisite to avoid leak of user name information. Closes: #531341 Please revert this change. The 'requisite' module is necessary to prevent exposure of the root password over insecure channels - such as telnet, but also including unencrypted XDMCP connections. root users should never have the opportunity to type their password when the tty is not secure. Sorry for the long delay, and thanks to Christian for repinging on this topic. I would prefer to use the following (rather than a requisite): auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so The difference with requisite is the addition of user_unknown=bad The problem with requisite is that it leaks knowledge on the existing usernames (with pam 1.1.0-4, this leak is limited to insecure lines, but this might not be sufficient). The possible user enumeration (which was very visible with pam 1.1.0-4 since it occurred on any box on the console ttys) was the cause of numerous complaints, so I think this default would be more sensible than a simple requisite. IMHO, the only issue is that if root mis-type the username, then a password is prompted. But I consider this can be blamed on root for: * mis-typing * not remembering that the line is insecure Do you agree with that choice ? Best Regards, -- Nekral -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#531341: prints login incorrect without asking for password when entering an invalid login
reopen 531341 severity 531341 grave thanks * debian/login.pam: pam_securetty included as a required module instead of requisite to avoid leak of user name information. Closes: #531341 Please revert this change. The 'requisite' module is necessary to prevent exposure of the root password over insecure channels - such as telnet, but also including unencrypted XDMCP connections. root users should never have the opportunity to type their password when the tty is not secure. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ slanga...@ubuntu.com vor...@debian.org signature.asc Description: Digital signature
Bug#531341: prints login incorrect without asking for password when entering an invalid login
tags 531341 wontfix thanks There are two contradicting security goals which are to avoid having root's password entered on unsafe lines (and unknown users should be considered as a mistyped 'root'), and to avoid leaking information regarding existing users. The default can be changed in /etc/pam.d/login. I'm keeping the bug open and tagged wontfix... until another solution is found or enough arguments are provided to change the default for Debian. Best Regards, -- Nekral -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#531341: prints login incorrect without asking for password when entering an invalid login
Hi, On Sun, May 31, 2009 at 09:27:09PM +0300, Dmitri Gribenko wrote: If you enter an invalid login, you get login incorrect immediately. Expected behavior is that password should be asked regardless of login correctness. This is to mitigate user enumeration attacks. Please look at the pam_securetty.so section in /etc/pam.d/login There are two contradicting security goals which are to avoid having root's password entered on unsafe lines (and unknown users should be considered as a mistyped 'root'), and to avoid leaking information regarding existing users. I don't really know how to handle this bug. My preference would go to close it (which I will do in a few week if there are no answers). Another solution could be to keep it as wontfix as an information bug and wait until somebody finds a cleaner solution. Dmitri, changing the inclusion of pam_securetty.so from requisite to required is probably what you are looking for. Best Regards, -- Nekral -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#531341: prints login incorrect without asking for password when entering an invalid login
On Sat, Jul 18, 2009 at 8:18 PM, Nicolas Françoisnicolas.franc...@centraliens.net wrote: Please look at the pam_securetty.so section in /etc/pam.d/login There are two contradicting security goals which are to avoid having root's password entered on unsafe lines (and unknown users should be considered as a mistyped 'root'), and to avoid leaking information regarding existing users. Thank you for the explanation. I don't really know how to handle this bug. My preference would go to close it (which I will do in a few week if there are no answers). Another solution could be to keep it as wontfix as an information bug and wait until somebody finds a cleaner solution. I think it is better to keep it as wontfix. Best regards, Dmitri -- main(i,j){for(i=2;;i++){for(j=2;ji;j++){if(!(i%j)){j=0;break;}}if (j){printf(%d\n,i);}}} /*Dmitri Gribenko griboz...@gmail.com*/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#531341: [Pkg-shadow-devel] Bug#531341: prints login incorrect without asking for password when entering an invalid login
Quoting Dmitri Gribenko (griboz...@gmail.com): Package: login Version: 1:4.1.3.1-1 Severity: normal If you enter an invalid login, you get login incorrect immediately. Expected behavior is that password should be asked regardless of login correctness. This is to mitigate user enumeration attacks. login uses PAM for this and defaults settings are correct wrt brute force attackes, with a 3 seconds delay before answering Login incorrect. Please check your /etc/pam.d/login file, it's probably missing a line like this: auth optional pam_faildelay.so delay=300 signature.asc Description: Digital signature
Bug#531341: [Pkg-shadow-devel] Bug#531341: prints login incorrect without asking for password when entering an invalid login
Quoting Dmitri Gribenko (griboz...@gmail.com): On Mon, Jun 1, 2009 at 9:14 AM, Christian Perrier bubu...@debian.org wrote: login uses PAM for this and defaults settings are correct wrt brute force attackes, with a 3 seconds delay before answering Login incorrect. The delay is there and works as expected. The problem is that an attacker can distinguish between a valid and an invalid login (in the latter case password is not asked -- this is the problem). Thus, he can first brute force for a login, then for a password. If he couldn't, he would now know which logins are valid on the system. (please answer to the bug report so that the whole thread remains archived there) Well, IIRC, this has been debated many times already, in both the Debian package development history and during the upstream development (the Debian maintainer, Nicolas François, is now upstream for shadow). Again, I don't really see how one could *really* brute force logins when PAM sets a 3 seconds delay for its answerbut let's see what light can be pu tby Nicolas on this: his emory of these discussions is maybe better than mine. signature.asc Description: Digital signature
Bug#531341: prints login incorrect without asking for password when entering an invalid login
Package: login Version: 1:4.1.3.1-1 Severity: normal If you enter an invalid login, you get login incorrect immediately. Expected behavior is that password should be asked regardless of login correctness. This is to mitigate user enumeration attacks. -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (900, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.30-rc7-3218911f-30may2009 (SMP w/2 CPU cores) Locale: LANG=ru_UA.UTF-8, LC_CTYPE=ru_UA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages login depends on: ii libc6 2.9-12 GNU C Library: Shared libraries ii libpam-modules1.0.1-9Pluggable Authentication Modules f ii libpam-runtime1.0.1-9Runtime support for the PAM librar ii libpam0g 1.0.1-9Pluggable Authentication Modules l login recommends no packages. login suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org