1952104 – proftpd might allow logins to accounts without password due to PAM configuration

Bug 1952104 - proftpd might allow logins to accounts without password due to PAM configuration

Summary: proftpd might allow logins to accounts without password due to PAM configuration

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	proftpd
Sub Component:
Version:	epel7
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Paul Howarth
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-04-21 14:03 UTC by Max Grobecker
Modified:	2021-05-21 10:24 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Description Max Grobecker 2021-04-21 14:03:40 UTC

Description of problem:

In default configuration, proftpd authenticates against PAM using the "proftpd" config.
This config basically includes the "password-auth" rules, which contain

auth sufficient pam_unix.so nullok try_first_pass

Thus, users with a deleted password can authenticate via FTP by providing nothing or a random string as a password - you can type whatever you want as a password, it will get accepted and you will be logged in with the identity of the existing user name you provided.

This can be prevented by setting

auth sufficient pam_unix.so try_first_pass likeauth

in the proftpd PAM configuration.

Version-Release number of selected component (if applicable):

Version: proftpd 1.3.5e
Release: 10.el7
Arch: x86_64

How reproducible:

1. Install proftpd with default config
2. Create a user with a valid shell, but omit password (like, for example, you do when running a service in its own identity)
-- as a side note: If you set "RequireValidShell off", a usable shell isn't needed
3. Use "passwd -d username" to delete the password
4. Connect to FTP, provide the user name of the account you just created with a totally random password
5. You are logged in now

Actual results:
You are logged in by simply knowing the name of an existing user

Expected results:
You can't login by just guessing user names

Additional info:
This might be a bug in passwd, since deleting a password will not set "!!" in the password field, but just leave it blank.
So, this *might* affect other services, but at the moment, I can't test.

Comment 1 Paul Howarth 2021-04-22 09:57:08 UTC

It seems to me that this is at least close to the intended behaviour. The "passwd -d" deletes the password to facilitate passwordless login for that user. So why shouldn't the FTP server honour that and allow login with any password?

Comment 2 Max Grobecker 2021-04-23 12:17:58 UTC

I see, passwd -d seems not to be the best choice if you want to remove passwords.
Unfortunately, unlike i.e. sshd or vsftpd, proftpd has no option to disallow logins with empty passwords by itself.
Proftpd has an option "AllowEmptyPasswords", which can be set to disallow empty password, but this option does not exist in version 1.3.5e shipped in epel7 since it was introduced with version 1.3.6.
IMHO it might be a sensitive option to prevent passwordless logins through PAM for proftpd by default.

Comment 3 Paul Howarth 2021-05-21 10:24:50 UTC

OK, I propose to adopt the proposed PAM change for EPEL-7 only, since the Fedora and EPEL-8 versions can use the "AllowEmptyPasswords" option to prevent use of empty passwords. Does that sound reasonable?

Note You need to log in before you can comment on or make changes to this bug.