Package: vlock Version: 1.3-8 Severity: normal
I'm not entirely clear whether this bug should be a vlock bug or a libpam-opensc bug. Since i only see the behavior directly in vlock, however (neither xscreensaver nor login leak this information), this makes me think it's a vlock problem and not a libpam-opensc problem. when i use vlock with libpam-opensc, if the passphrase given is a different length than the user's actual passphrase, vlock actually reports that information in the error messages. i'm running a patched version of vlock right now (see bug #318507), but even if i run a vanilla 1.3-8 vlock (from an unpacked deb), i get the same error messages printed to the console. Here's a transcript of such an interaction (using vlock 1.3-8): [EMAIL PROTECTED] ~]$ src/vlock/clean-deb/root/usr/bin/vlock This TTY is now locked. Use Alt-function keys to switch to other virtual consoles. Please enter the password to unlock. dkg's Using card reader Schlumberger E-Gate Enter PIN1 [dkg]: sc_pkcs15_verify_pin: Invalid PIN length root's Using card reader Schlumberger E-Gate Enter PIN1 [dkg]: No such user, .eid dir unreadable, nonexistent or unsafe. *** That password is incorrect; please try again. *** This TTY is now locked. Use Alt-function keys to switch to other virtual consoles. Please enter the password to unlock. dkg's Using card reader Schlumberger E-Gate Enter PIN1 [dkg]: [EMAIL PROTECTED] ~]$ src/vlock/clean-deb/root/usr/bin/vlock This TTY is now locked. Use Alt-function keys to switch to other virtual consoles. Please enter the password to unlock. dkg's Using card reader Schlumberger E-Gate Enter PIN1 [dkg]: sec.c:204:sc_pin_cmd: returning with: PIN code or key incorrect sc_pkcs15_verify_pin: PIN code or key incorrect root's Using card reader Schlumberger E-Gate Enter PIN1 [dkg]: No such user, .eid dir unreadable, nonexistent or unsafe. *** That password is incorrect; please try again. *** This TTY is now locked. Use Alt-function keys to switch to other virtual consoles. Please enter the password to unlock. dkg's Using card reader Schlumberger E-Gate Enter PIN1 [dkg]: [EMAIL PROTECTED] ~]$ (ignore the failures for authenticating against root: root deliberately can't authenticate with libpam-opensc on this system, so i just pressed enter there, and didn't bother supplying a passphrase). For the first failure i deliberately chose a passphrase of different length than the actual PIN on the card. That yields the following error: sc_pkcs15_verify_pin: Invalid PIN length i then authenticated correctly, and locked again. For the second vlock auth failure, i deliberately chose a wrong passphrase that has the same character count as the actual PIN on the card. This results instead with two lines of printed error: sec.c:204:sc_pin_cmd: returning with: PIN code or key incorrect sc_pkcs15_verify_pin: PIN code or key incorrect so what i'm seeing here is that vlock is leaking information about the length of the passphrase when this PAM module is in use. Please let me know if i can provide any more information about my system, run any tests, etc. Thanks for looking into this, --dkg additional info about my system: [EMAIL PROTECTED] tmp]$ cat /etc/pam.d/vlock #%PAM-1.0 @include common-auth #auth required pam_unix.so #auth required pam_nologin.so [EMAIL PROTECTED] tmp]$ cat /etc/pam.d/common-auth # # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # # auth required pam_unix.so nullok_secure auth required pam_opensc.so [EMAIL PROTECTED] tmp]$ dpkg -l libpam-opensc Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) ||/ Name Version Description +++-==============-==============-============================================ ii libpam-opensc 0.9.6-3 Pluggable Authentication Module for using PK [EMAIL PROTECTED] tmp]$ -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (700, 'testing'), (700, 'stable'), (600, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.12-1-686 Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) Versions of packages vlock depends on: ii libc6 2.3.5-8 GNU C Library: Shared libraries an ii libpam0g 0.79-3 Pluggable Authentication Modules l vlock recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]