Bug 253959 - pam_ssh permits authentication with arbitrary string if a passphrase-less key exists
Summary: pam_ssh permits authentication with arbitrary string if a passphrase-less key...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: pam_ssh
Version: 7
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Patrice Dumas
QA Contact: Fedora Extras Quality Assurance
URL: http://bugs.debian.org/cgi-bin/bugrep...
Whiteboard: source=debian,impact=moderate,reporte...
Depends On:
Blocks: CVE-2007-0844
TreeView+ depends on / blocked
 
Reported: 2007-08-23 08:37 UTC by Tomas Hoger
Modified: 2008-01-28 14:13 UTC (History)
1 user (show)

Fixed In Version: 1.92-2.fc7
Clone Of:
Environment:
Last Closed: 2007-08-24 05:44:41 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Tomas Hoger 2007-08-23 08:37:37 UTC
The auth_via_key function in pam_ssh.c in pam_ssh before 1.92, when the
allow_blank_passphrase option is disabled, allows remote attackers to bypass
authentication restrictions and use private encryption keys requiring a blank
passphrase by entering a non-blank passphrase.

Issue does not seem to be fixed in pam_ssh in Fedora.  Upstream version 1.92
contains fix:

2007-02-06  Andrew J. Korty  <ajk>

        * pam_ssh.c (key_load_private_maybe): New wrapper for
        key_load_private() that checks whether the private key's
        passphrase is blank.  If so and if allow_blank_passphrase is set,
        this function returns NULL.  This approach is necessary because
        key_load_private() will load a key with a blank passphrase
        regardless of the passphrase entered.  Thanks to Rob Henderson for
        the report.


For more info, see Debian bug:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=439150

or additional references on CVE page:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0844

Comment 1 Patrice Dumas 2007-08-23 10:20:23 UTC
I didn't saw that there was an update because there was no announce...
I'll monitor the files page now. 

Thanks for the report. 

The updated package should be soon in the repositories.

Comment 2 Fedora Update System 2007-08-24 05:44:38 UTC
pam_ssh-1.92-2.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.