Bug 849241
Summary: | SSHD sends garbage to pam_authenticate() if the user's shell is not installed on the target system | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Stephen Gallagher <sgallagh> |
Component: | openssh | Assignee: | Petr Lautrbach <plautrba> |
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 17 | CC: | mattias.ellert, mgrepl, plautrba, tmraz |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-06-20 11:59:00 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Stephen Gallagher
2012-08-17 19:07:49 UTC
It is logged into /var/log/secure file: Jun 20 13:48:13 f17-openssh sshd[2319]: User ksh not allowed because shell /bin/ksh does not exist The openssh login process tries to not to expose information to client why login fails in order not to give a potential attacker information. So it follows the same steps for an illegal user as for a regular one. Petr, while I agree there, I do have to ask why you call pam_authenticate() at all, once you know that the shell doesn't exist. Furthermore, why does it get called with bad data? I'm not sure where it's getting the garbage it sends, either. Uninitialized buffer? (In reply to Stephen Gallagher from comment #2) > Petr, while I agree there, I do have to ask why you call pam_authenticate() > at all, once you know that the shell doesn't exist. Furthermore, why does it > get called with bad data? openssh requires users to have a valid shell. It handles all invalid users same way - a non-existent user, a user with a locked password, a user with an invalid shell, ... and it tries to prevent username leaks via timing, so it calls pam_authenticate() with a bad password. > I'm not sure where it's getting the garbage it sends, either. Uninitialized > buffer? It uses the hardcoded bad password: static char badpw[] = "\b\n\r\177INCORRECT"; |