Hi Fritjof, [email protected]([email protected]) on 2016.03.31 11:43:58 +0200: > Wipe out the key from "user.key". > > --f. > > Index: login_yubikey.c > =================================================================== > RCS file: /cvs/src/libexec/login_yubikey/login_yubikey.c,v > retrieving revision 1.10 > diff -u -p -u -r1.10 login_yubikey.c > --- login_yubikey.c 16 Jan 2015 06:39:50 -0000 1.10 > +++ login_yubikey.c 31 Mar 2016 09:38:01 -0000 > @@ -224,6 +224,8 @@ yubikey_login(const char *username, cons > yubikey_hex_decode(uid, hexuid, YUBIKEY_UID_SIZE); > yubikey_hex_decode(key, hexkey, YUBIKEY_KEY_SIZE); > > + explicit_bzero(hexkey, sizeof(hexkey)); > + > /* > * Cycle through the key mapping table. > * XXX brute force, unoptimized; a lookup table for valid mappings > may > @@ -268,6 +270,8 @@ yubikey_login(const char *username, cons > } > break; /* only reached through the bottom of case 0 */ > } > + > + explicit_bzero(key, sizeof(key));
The while loop above has return(AUTH_FAILED) so you dont zero in those cases. Can you change that? > > syslog(LOG_INFO, "user %s uid %s: %d matching keymaps (%d checked), " > "%d crc ok", username, hexuid, mapok, i, crcok); > Also your diff does not apply, i think it has tab vs space issues.
