Red Hat Bugzilla – Bug 492153
CVE-2009-1273 pam_ssh: Password prompt varies for existent and non-existent users
Last modified: 2009-05-04 07:29:33 EDT
A security flaw was found in PAM module, providing user authentication based
on SSH keys. A remote attacker could use this flaw to recognize, if some
username/login belongs to set of user accounts, existing on the system,
and subsequently perform dictionary based password guess attack.
This issue affects all versions of the pam_ssh package, as shipped
with Fedora releases of 9, 10, and devel.
I can not guess how to reproduce this.
Could you point me to exact pam.d configuration for tests?
I've made a patch for the behaviour similar to pam_ldap.
When we detect that it is the first password prompt in the PAM chain, we always use the standard "Password: " prompt, else we use the pam_ssh's prompt if it is needed.
Created attachment 336821 [details]
pam_ssh first prompt patch
Please, test it in your environments.
See pam_ssh-1.92-10 at http://kojipkgs.fedoraproject.org/packages/pam_ssh/1.92/
pam_ssh 1.92 and possibly other versions, as used when PAM is compiled
with USE=ssh, generates different error messages depending on whether
the username is valid or invalid, which makes it easier for remote
attackers to enumerate usernames.
I cannot put updates (see coment #7)further... Perhaps I have not enough rights for security updates.
(In reply to comment #9)
> I cannot put updates (see coment #7)further... Perhaps I have not enough rights
> for security updates.
Ugh? Can you clarify what exactly you can't do? I see some built in koji for each Fedora version, so I can only guess your problem is with bodhi, but it should not have any restriction to prevent you from submitting the updates.
I can't submit the update for F10 ("security", "testing", bug number, do not karma) -- answers something like "server error".
pam_ssh-1.92-10.fc10 has been submitted as an update for Fedora 10.
pam_ssh-1.92-10.fc9 has been submitted as an update for Fedora 9.
Odd, did work for me just fine... Can you check these and do changes you wanted to do? Thank you!
Well, perhaps it was some temporary issue...
Dmitry, if new packages in testing are working fine, can you change request to stable? Thank you!
pam_ssh-1.92-10.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
pam_ssh-1.92-10.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.