If SSSD is used for authentication against remote server, information whether given username is present on the system or not is leaked. On console login, there is no password prompt for invalid usernames and in case of SSHD there is noticeable difference in delay when giving valid and invalid username. Affected configuration: authconfig --enablesssdauth --update Possible workaround (with side-effects): authconfig --enablesysnetauth --update
Acknowledgments: Name: Tomas Mraz (Red Hat), Thorsten Scherf (Red Hat)
The question is whether fixing authconfig to produce non-vulnerable configuration is sufficient. Unfortunately there is no clear safe way to automatically fix the vulnerable configuration if present on the system. At best we would have to require the system administrator to run authconfig --update as running authconfig automatically can break existing customer modifications of PAM configuration.
Created attachment 1273319 [details] Proposed patch The patch fixes the configuration so pam_unix is skipped only for known non-local users which are not system users.
The patch is for upstream master but can be trivially backported to RHEL 7.4
Patch looks good to me.
Created attachment 1273876 [details] Patch for RHEL-7.4 Untested patch for RHEL-7.4.
Can I include the fix in 7.4?
I think you can include it, it won't go out before the embargo is lifted.
Yes, all good
There a typo in this patch: 60 + if name == "succceed_if" and stack == "auth" and logic == LOGIC_SKIPNEXT_ON_FAILURE: 61 + args = args.replace("quiet_success", "quiet") s/succceed_if/succeed_if
I fixed the typo and pushed to 7.4
Created authconfig tracking bugs for this issue: Affects: fedora-all [bug 1449106]
Mitigation: Possible workaround (with side-effects): authconfig --enablesysnetauth --update
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2285 https://access.redhat.com/errata/RHSA-2017:2285