Bug 1629598 - PAM: pam_unix allows to determine if user exists
Summary: PAM: pam_unix allows to determine if user exists
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: pam
Version: 32
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
Assignee: Iker Pedrosa
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: sync-to-jira
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-09-17 07:26 UTC by Riccardo Schirone
Modified: 2020-07-10 01:00 UTC (History)
1 user (show)

Fixed In Version: pam-1.3.1-25.fc32 pam-1.3.1-24.fc31
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-06-24 01:00:58 UTC
Type: Bug


Attachments (Terms of Use)

Description Riccardo Schirone 2018-09-17 07:26:25 UTC
Description of problem:
It was reported that PAM module pam_unix allows unauthenticated users to test existence of target usernames on servers via timing of authentication attempts (it's enough to measure the time to get the "Password:" prompt). The behaviour is visible when the option `nullok` is passed as argument to the module.


Version-Release number of selected component (if applicable):
Versions in Fedora 27/28 and RHEL 7 seem to be affected.


How reproducible:
Enable telnet server and measure the time to get the "Password: " prompt for existing and non-existing users.


Actual results:
Much bigger times for existing users than for non-existing ones.


Expected results:
Almost same time for all users.


Additional info:
After analysis I found two things that cause this difference in timing:
1) unix_chkpwd is only called for existing users in support.c:_unix_blankpasswd
2) unix_chkpwd verifies pwd hash only if user exists in passverify.c:helper_verify_password

Comment 1 Ben Cotton 2019-08-13 16:53:17 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to '31'.

Comment 2 Ben Cotton 2019-08-13 19:39:06 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to 31.

Comment 3 Ben Cotton 2020-02-11 15:49:27 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 32 development cycle.
Changing version to 32.

Comment 4 Iker Pedrosa 2020-05-12 15:35:45 UTC
I think that I have mitigated the issue by executing non-functional code if the user doesn't exist. Are you willing to test it? I have created a scratch-build for Fedora 32 [1]. If you are using another version of Fedora please let me know and I will create another scratch-build.

Links:
[1] https://koji.fedoraproject.org/koji/taskinfo?taskID=44418950

Comment 18 Iker Pedrosa 2020-06-17 13:06:47 UTC
* master
    af0faf666c5008e54dfe43684f210e3581ff1bca - pam_unix: avoid determining if user exists
    0e9b286afe1224b91ff00936058b084ad4b776e4 - pam_usertype: avoid determining if user exists

Comment 19 Fedora Update System 2020-06-22 07:55:07 UTC
FEDORA-2020-8af26e7928 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-8af26e7928

Comment 20 Fedora Update System 2020-06-23 01:04:52 UTC
FEDORA-2020-8af26e7928 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-8af26e7928`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-8af26e7928

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 21 Fedora Update System 2020-06-24 01:00:58 UTC
FEDORA-2020-8af26e7928 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 22 Fedora Update System 2020-06-24 13:25:09 UTC
FEDORA-2020-5bd1682608 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-5bd1682608

Comment 23 Fedora Update System 2020-06-25 00:58:22 UTC
FEDORA-2020-5bd1682608 has been pushed to the Fedora 31 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-5bd1682608`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-5bd1682608

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 24 Fedora Update System 2020-07-10 01:00:50 UTC
FEDORA-2020-5bd1682608 has been pushed to the Fedora 31 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.