Bug 1629598

Summary:	PAM: pam_unix allows to determine if user exists
Product:	[Fedora] Fedora	Reporter:	Riccardo Schirone <rschiron>
Component:	pam	Assignee:	Iker Pedrosa <ipedrosa>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	32	CC:	tmraz
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:	sync-to-jira
Fixed In Version:	pam-1.3.1-25.fc32 pam-1.3.1-24.fc31	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2020-06-24 01:00:58 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Riccardo Schirone 2018-09-17 07:26:25 UTC

Description of problem:
It was reported that PAM module pam_unix allows unauthenticated users to test existence of target usernames on servers via timing of authentication attempts (it's enough to measure the time to get the "Password:" prompt). The behaviour is visible when the option `nullok` is passed as argument to the module.


Version-Release number of selected component (if applicable):
Versions in Fedora 27/28 and RHEL 7 seem to be affected.


How reproducible:
Enable telnet server and measure the time to get the "Password: " prompt for existing and non-existing users.


Actual results:
Much bigger times for existing users than for non-existing ones.


Expected results:
Almost same time for all users.


Additional info:
After analysis I found two things that cause this difference in timing:
1) unix_chkpwd is only called for existing users in support.c:_unix_blankpasswd
2) unix_chkpwd verifies pwd hash only if user exists in passverify.c:helper_verify_password

Comment 1 Ben Cotton 2019-08-13 16:53:17 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to '31'.

Comment 2 Ben Cotton 2019-08-13 19:39:06 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to 31.

Comment 3 Ben Cotton 2020-02-11 15:49:27 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 32 development cycle.
Changing version to 32.

Comment 4 Iker Pedrosa 2020-05-12 15:35:45 UTC

I think that I have mitigated the issue by executing non-functional code if the user doesn't exist. Are you willing to test it? I have created a scratch-build for Fedora 32 [1]. If you are using another version of Fedora please let me know and I will create another scratch-build.

Links:
[1] https://koji.fedoraproject.org/koji/taskinfo?taskID=44418950

Comment 18 Iker Pedrosa 2020-06-17 13:06:47 UTC

* master
    af0faf666c5008e54dfe43684f210e3581ff1bca - pam_unix: avoid determining if user exists
    0e9b286afe1224b91ff00936058b084ad4b776e4 - pam_usertype: avoid determining if user exists

Comment 19 Fedora Update System 2020-06-22 07:55:07 UTC

FEDORA-2020-8af26e7928 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-8af26e7928

Comment 20 Fedora Update System 2020-06-23 01:04:52 UTC

FEDORA-2020-8af26e7928 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-8af26e7928`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-8af26e7928

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 21 Fedora Update System 2020-06-24 01:00:58 UTC

FEDORA-2020-8af26e7928 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 22 Fedora Update System 2020-06-24 13:25:09 UTC

FEDORA-2020-5bd1682608 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-5bd1682608

Comment 23 Fedora Update System 2020-06-25 00:58:22 UTC

FEDORA-2020-5bd1682608 has been pushed to the Fedora 31 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-5bd1682608`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-5bd1682608

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 24 Fedora Update System 2020-07-10 01:00:50 UTC

FEDORA-2020-5bd1682608 has been pushed to the Fedora 31 stable repository.
If problem still persists, please make note of it in this bug report.