Red Hat Bugzilla – Bug 253959
pam_ssh permits authentication with arbitrary string if a passphrase-less key exists
Last modified: 2008-01-28 09:13:37 EST
The auth_via_key function in pam_ssh.c in pam_ssh before 1.92, when the
allow_blank_passphrase option is disabled, allows remote attackers to bypass
authentication restrictions and use private encryption keys requiring a blank
passphrase by entering a non-blank passphrase.
Issue does not seem to be fixed in pam_ssh in Fedora. Upstream version 1.92
2007-02-06 Andrew J. Korty <email@example.com>
* pam_ssh.c (key_load_private_maybe): New wrapper for
key_load_private() that checks whether the private key's
passphrase is blank. If so and if allow_blank_passphrase is set,
this function returns NULL. This approach is necessary because
key_load_private() will load a key with a blank passphrase
regardless of the passphrase entered. Thanks to Rob Henderson for
For more info, see Debian bug:
or additional references on CVE page:
I didn't saw that there was an update because there was no announce...
I'll monitor the files page now.
Thanks for the report.
The updated package should be soon in the repositories.
pam_ssh-1.92-2.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.