Bug#422453: marked as done (libpam-ssh: Leaks information when configured as sole auth module)

[Debian Bug Tracking System]

Your message dated Sat, 13 Dec 2008 00:47:03 +0000
with message-id <e1lbiet-0006ag...@ries.debian.org>
and subject line Bug#422453: fixed in libpam-ssh 1.92-3
has caused the Debian Bug report #422453,
regarding libpam-ssh: Leaks information when configured as sole auth module
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
422453: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=422453
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libpam-ssh
Version: 1.91.0-9.1
Severity: important

If you replace pam_unix.so with pam_ssh.so as the module for
authenticating users, say, /etc/pam.d/common-auth contains only:

auth required pam_ssh.so keyfiles=id_dsa

then login will say "Login incorrect" when user does not exist, and the
following is logged to syslog:

May  5 23:28:10 in...@viento login[14755]: FAILED LOGIN (1) on 'tty1'
FOR `UNKNOWN', Permission denied

Login should behave the same if the user exist or not as not to leak
information.

If you stack this module after pam_unix but still authenticate against
your ssh keys, then pam_unix will generate a false event indicating that
authentication failed.

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.20.1
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages libpam-ssh depends on:
ii  libc6                       2.3.6.ds1-13 GNU C Library: Shared libraries
ii  libpam0g                    0.79-4       Pluggable Authentication Modules l
ii  libssl0.9.8                 0.9.8c-4     SSL shared libraries

Versions of packages libpam-ssh recommends:
pn  ssh-krb5 | ssh                <none>     (no description available)

-- no debconf information

signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

Source: libpam-ssh
Source-Version: 1.92-3

We believe that the bug you reported is fixed in the latest version of
libpam-ssh, which is due to be installed in the Debian FTP archive:

libpam-ssh_1.92-3.diff.gz
  to pool/main/libp/libpam-ssh/libpam-ssh_1.92-3.diff.gz
libpam-ssh_1.92-3.dsc
  to pool/main/libp/libpam-ssh/libpam-ssh_1.92-3.dsc
libpam-ssh_1.92-3_i386.deb
  to pool/main/libp/libpam-ssh/libpam-ssh_1.92-3_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 422...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jens Peter Secher <j...@debian.org> (supplier of updated libpam-ssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 05 Dec 2008 17:27:40 +0100
Source: libpam-ssh
Binary: libpam-ssh
Architecture: source i386
Version: 1.92-3
Distribution: experimental
Urgency: low
Maintainer: Jens Peter Secher <j...@debian.org>
Changed-By: Jens Peter Secher <j...@debian.org>
Description: 
 libpam-ssh - Single sign-on via private SSH key
Closes: 422453 425735
Changes: 
 libpam-ssh (1.92-3) experimental; urgency=low
 .
   * Use all SSH keys in the special directory $HOME/.ssh/login-keys.d,
     thanks to Steve Langasek, Vincent Zweije, and Peter Palfrader.
   * Documented an alternative fall-through use, thanks to Luca Niccoli.
   * Avoid leaking information about the existence of users or presence of
     SSH login keys, thanks to Allan Wind.
     (Closes: #422453)
   * The cleanup of the way PAM exits are made also seems to have fixed the
     ssh-agent problems after failed login.
     (Closes: #425735)
   * Removed implementation-specific information from the manual page, and
     added more information suited for administrators.
Checksums-Sha1: 
 5a70c20771b326f14e27ac513d69d22fb162b186 1089 libpam-ssh_1.92-3.dsc
 9cbf4e05530eec1d48a40c2039f9f2393c32dc1a 17003 libpam-ssh_1.92-3.diff.gz
 e03ee7d9e85926017bf05b8758f5abfbd2d98b55 50856 libpam-ssh_1.92-3_i386.deb
Checksums-Sha256: 
 671ee1885fe61347f49241676b518e2b2eff2588ebc428a706a709d684ed68b0 1089 
libpam-ssh_1.92-3.dsc
 1d59a73054cc255acd1ed45b6effaa5a226878b74c6dd211fd19a151d7e1bcb6 17003 
libpam-ssh_1.92-3.diff.gz
 aa87d56b859eca411ce595c67bb43293535dffcb67bf7579c5d4c9da7e535664 50856 
libpam-ssh_1.92-3_i386.deb
Files: 
 d843f00fd4b188bfc557e3df1bfc174f 1089 admin optional libpam-ssh_1.92-3.dsc
 ab4033f9e75622e4357e33aa1a25c092 17003 admin optional libpam-ssh_1.92-3.diff.gz
 69ffe62485d9ce11ee8019b92cde89c7 50856 admin optional 
libpam-ssh_1.92-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAklDA0oACgkQDuWXiv5j6KG5AACbBchnpqxVH9b7zY+5ZcgwoS5G
dVYAn1NmFy4MPxwgm2ZTNw6bSBCHTeVT
=fg5j
-----END PGP SIGNATURE-----

--- End Message ---