Hi,
I read https://www.openwall.com/lists/oss-security/2019/12/04/5 and wondered
how the authentication bypass was possible, since the manpage says:
If this style of authentication does not support challenge response, but
does support the response service (described below) it should issue
reject silent and then exit with a 0 status.
So I checked and indeed:
# /usr/libexec/auth/login_passwd -schallenge foo 3>&1
authorize
The (untested) patch below makes login_passwd behave as described in the
manpage.
Kind regards,
Thomas
diff --git libexec/login_passwd/login.c libexec/login_passwd/login.c
index 09e683a7366..486d8bfcb8a 100644
--- libexec/login_passwd/login.c
+++ libexec/login_passwd/login.c
@@ -137,7 +137,7 @@ main(int argc, char **argv)
password = readpassphrase("Password:", pbuf, sizeof(pbuf),
RPP_ECHO_OFF);
break;
case MODE_CHALLENGE:
- fprintf(back, BI_AUTH "\n");
+ fprintf(back, BI_SILENT "\n");
exit(0);
break;
default:
