Bug 253959 - pam_ssh permits authentication with arbitrary string if a passphrase-less key exists
pam_ssh permits authentication with arbitrary string if a passphrase-less key...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: pam_ssh (Show other bugs)
7
All Linux
medium Severity medium
: ---
: ---
Assigned To: Patrice Dumas
Fedora Extras Quality Assurance
http://bugs.debian.org/cgi-bin/bugrep...
source=debian,impact=moderate,reporte...
: Security
Depends On:
Blocks: CVE-2007-0844
  Show dependency treegraph
 
Reported: 2007-08-23 04:37 EDT by Tomas Hoger
Modified: 2008-01-28 09:13 EST (History)
1 user (show)

See Also:
Fixed In Version: 1.92-2.fc7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-24 01:44:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2007-08-23 04:37:37 EDT
The auth_via_key function in pam_ssh.c in pam_ssh before 1.92, when the
allow_blank_passphrase option is disabled, allows remote attackers to bypass
authentication restrictions and use private encryption keys requiring a blank
passphrase by entering a non-blank passphrase.

Issue does not seem to be fixed in pam_ssh in Fedora.  Upstream version 1.92
contains fix:

2007-02-06  Andrew J. Korty  <ajk@iu.edu>

        * pam_ssh.c (key_load_private_maybe): New wrapper for
        key_load_private() that checks whether the private key's
        passphrase is blank.  If so and if allow_blank_passphrase is set,
        this function returns NULL.  This approach is necessary because
        key_load_private() will load a key with a blank passphrase
        regardless of the passphrase entered.  Thanks to Rob Henderson for
        the report.


For more info, see Debian bug:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=439150

or additional references on CVE page:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0844
Comment 1 Patrice Dumas 2007-08-23 06:20:23 EDT
I didn't saw that there was an update because there was no announce...
I'll monitor the files page now. 

Thanks for the report. 

The updated package should be soon in the repositories.
Comment 2 Fedora Update System 2007-08-24 01:44:38 EDT
pam_ssh-1.92-2.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.