Description of problem: It was reported that PAM module pam_unix allows unauthenticated users to test existence of target usernames on servers via timing of authentication attempts (it's enough to measure the time to get the "Password:" prompt). The behaviour is visible when the option `nullok` is passed as argument to the module. Version-Release number of selected component (if applicable): Versions in Fedora 27/28 and RHEL 7 seem to be affected. How reproducible: Enable telnet server and measure the time to get the "Password: " prompt for existing and non-existing users. Actual results: Much bigger times for existing users than for non-existing ones. Expected results: Almost same time for all users. Additional info: After analysis I found two things that cause this difference in timing: 1) unix_chkpwd is only called for existing users in support.c:_unix_blankpasswd 2) unix_chkpwd verifies pwd hash only if user exists in passverify.c:helper_verify_password
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle. Changing version to '31'.
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle. Changing version to 31.
This bug appears to have been reported against 'rawhide' during the Fedora 32 development cycle. Changing version to 32.
I think that I have mitigated the issue by executing non-functional code if the user doesn't exist. Are you willing to test it? I have created a scratch-build for Fedora 32 [1]. If you are using another version of Fedora please let me know and I will create another scratch-build. Links: [1] https://koji.fedoraproject.org/koji/taskinfo?taskID=44418950
* master af0faf666c5008e54dfe43684f210e3581ff1bca - pam_unix: avoid determining if user exists 0e9b286afe1224b91ff00936058b084ad4b776e4 - pam_usertype: avoid determining if user exists
FEDORA-2020-8af26e7928 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-8af26e7928
FEDORA-2020-8af26e7928 has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-8af26e7928` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-8af26e7928 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2020-8af26e7928 has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2020-5bd1682608 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-5bd1682608
FEDORA-2020-5bd1682608 has been pushed to the Fedora 31 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-5bd1682608` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-5bd1682608 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2020-5bd1682608 has been pushed to the Fedora 31 stable repository. If problem still persists, please make note of it in this bug report.