492153 – (CVE-2009-1273) CVE-2009-1273 pam_ssh: Password prompt varies for existent and non-existent users

Bug 492153 (CVE-2009-1273) - CVE-2009-1273 pam_ssh: Password prompt varies for existent and non-existent users

Summary: CVE-2009-1273 pam_ssh: Password prompt varies for existent and non-existent u...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	CVE-2009-1273
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:	http://bugs.gentoo.org/show_bug.cgi?i...
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-03-25 16:39 UTC by Jan Lieskovsky
Modified:	2019-09-29 12:29 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-05-04 11:29:33 UTC
Embargoed:

Attachments	(Terms of Use)
pam_ssh first prompt patch (847 bytes, patch) 2009-03-26 15:07 UTC, Dmitry Butskoy	no flags	Details \| Diff
View All

Description Jan Lieskovsky 2009-03-25 16:39:06 UTC

A security flaw was found in PAM module, providing user authentication based
on SSH keys. A remote attacker could use this flaw to recognize, if some
username/login belongs to set of user accounts, existing on the system,
and subsequently perform dictionary based password guess attack.

Comment 1 Jan Lieskovsky 2009-03-25 16:39:49 UTC

This issue affects all versions of the pam_ssh package, as shipped
with Fedora releases of 9, 10, and devel.

Comment 3 Dmitry Butskoy 2009-03-25 17:47:18 UTC

I can not guess how to reproduce this.

Could you point me to exact pam.d configuration for tests?

Comment 5 Dmitry Butskoy 2009-03-26 15:05:55 UTC

Well,

I've made a patch for the behaviour similar to pam_ldap.

When we detect that it is the first password prompt in the PAM chain, we always use the standard "Password: " prompt, else we use the pam_ssh's prompt if it is needed.

Comment 6 Dmitry Butskoy 2009-03-26 15:07:21 UTC

Created attachment 336821 [details]
pam_ssh first prompt patch

Please, test it in your environments.

Comment 7 Dmitry Butskoy 2009-03-26 15:21:55 UTC

See pam_ssh-1.92-10 at http://kojipkgs.fedoraproject.org/packages/pam_ssh/1.92/

Comment 8 Tomas Hoger 2009-04-09 07:58:07 UTC

CVE-2009-1273:
pam_ssh 1.92 and possibly other versions, as used when PAM is compiled
with USE=ssh, generates different error messages depending on whether
the username is valid or invalid, which makes it easier for remote
attackers to enumerate usernames.

Comment 9 Dmitry Butskoy 2009-04-09 11:24:27 UTC

I cannot put updates (see coment #7)further... Perhaps I have not enough rights for security updates.

Comment 10 Tomas Hoger 2009-04-09 12:45:57 UTC

(In reply to comment #9)
> I cannot put updates (see coment #7)further... Perhaps I have not enough rights
> for security updates.  

Ugh?  Can you clarify what exactly you can't do?  I see some built in koji for each Fedora version, so I can only guess your problem is with bodhi, but it should not have any restriction to prevent you from submitting the updates.

Comment 11 Dmitry Butskoy 2009-04-09 12:52:17 UTC

I can't submit the update for F10 ("security", "testing", bug number, do not karma) -- answers something like "server error".

Comment 12 Fedora Update System 2009-04-09 13:03:32 UTC

pam_ssh-1.92-10.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/pam_ssh-1.92-10.fc10

Comment 13 Fedora Update System 2009-04-09 13:03:36 UTC

pam_ssh-1.92-10.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/pam_ssh-1.92-10.fc9

Comment 14 Tomas Hoger 2009-04-09 13:04:51 UTC

Odd, did work for me just fine...  Can you check these and do changes you wanted to do?  Thank you!
  https://admin.fedoraproject.org/updates/pam_ssh

Comment 15 Dmitry Butskoy 2009-04-09 13:12:17 UTC

Well, perhaps it was some temporary issue...

Comment 16 Tomas Hoger 2009-04-29 06:25:57 UTC

Dmitry, if new packages in testing are working fine, can you change request to stable?  Thank you!

Comment 17 Dmitry Butskoy 2009-04-29 12:33:48 UTC

Done.

Comment 18 Fedora Update System 2009-05-02 16:38:48 UTC

pam_ssh-1.92-10.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2009-05-02 16:42:50 UTC

pam_ssh-1.92-10.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.