Re: [opensc-devel] pam_pkcs11 (enable debug)

Tue, 21 Sep 2010 09:45:55 -0700 

Hello Ludovic,

> 2010/9/20 Andre Zepezauer <[email protected]>:
> > Hello,
> >
> > today I had to configure a host with pam_pkcs11. Doing that, I was
> > forced to edit the files in /etc/pam.d/ to get the debug messages of
> > pam_pkcs11. The corresponding option in the configuration file doesn't
> > have any effects. The attached patch fixes this unexpected behaviour.
> 
> Fixed in revision 448.
> Thanks.

There is another issue with the output of debug messages. It is that the
users pin will be log by default. This can only be disabled at
compilation time. I assume that there will be always some systems where
debug is enabled. This is not a recommended practise, but could be
happen accidentally of course.

In my opinion, logging the users pin brings no real benefits, but can
cause serious harm to some operators. Therefore I would recommend to
drop this feature. Corresponding patch is attached.

The second patch improves error handling and removes the attempt to
clear a string of length zero. Which is in all cases a nop.

Regards
Andre



Index: src/pam_pkcs11/pam_pkcs11.c
===================================================================
--- src/pam_pkcs11/pam_pkcs11.c	(revision 448)
+++ src/pam_pkcs11/pam_pkcs11.c	(working copy)
@@ -449,9 +449,6 @@
 					"pam_get_pwd() failed: %s", pam_strerror(pamh, rv));
 			return pkcs11_pam_fail;
 		}
-#ifndef DEBUG_HIDE_PASSWORD
-		DBG1("password = [%s]", password);
-#endif
 
 		/* check password length */
 		if (!configuration->nullok && strlen(password) == 0) {
Index: src/common/pkcs11_lib.c
===================================================================
--- src/common/pkcs11_lib.c	(revision 448)
+++ src/common/pkcs11_lib.c	(working copy)
@@ -44,9 +44,6 @@
 
   /* get password */
   pin =getpass("PIN for token: ");
-#ifndef DEBUG_HIDE_PASSWORD
-  DBG1("PIN = [%s]", pin);
-#endif
   /* for safety reasons, clean PIN string from memory asap */
 
   /* check password length */

Index: src/common/pkcs11_lib.c
===================================================================
--- src/common/pkcs11_lib.c	(revision 448)
+++ src/common/pkcs11_lib.c	(working copy)
@@ -47,11 +47,13 @@
 #ifndef DEBUG_HIDE_PASSWORD
   DBG1("PIN = [%s]", pin);
 #endif
-  /* for safety reasons, clean PIN string from memory asap */
+  if (pin == NULL) {
+    set_error("Error encountered while reading PIN");
+    return -1;
+  }
 
   /* check password length */
   if (!nullok && strlen(pin) == 0) {
-    memset(pin, 0, strlen(pin));
     free(pin);
     set_error("Empty passwords not allowed");
     return -1;
@@ -62,7 +64,7 @@
   memset(pin, 0, strlen(pin));
   free(pin);
   if (rv != 0) {
-    /* DBG1("pkcs11_login() failed: %s", get_error()); */
+    set_error("pkcs11_login() failed: %s", get_error());
     return -1;
   }
   return 0;

_______________________________________________
opensc-devel mailing list
[email protected]
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Reply via email to