Re: Debian bug 531341

[Julie]

Nicolas,


Then I will try to remember this thread when I look again at this bug.
Hopefully soon.


We can summarize the conclusions and post that to the bug.  How does that 
sound?



The purpose is that the root user cannot sign in over a secure line,
regardless of whether or not the user knows the correct password.
There are two (equally valid) approaches --


pam_securetty.so was recently changed to include rejection of invalid
users. So it does not seems to my mis-interpretation but a different
interpretation of what pam_securetty.so is used for.


The PROPER behavior of pam_securetty is supposed to be that it returns
"failure" only when the user is "root" and the TTY is not "secure".


1). The classic solution where root can enter the correct password,
but the login attempt still reports "login incorrect" because it has
failed the secure TTYs file test.


This looks like a "required" pam_securetty.so


If I understand the current pam_securetty, yes.


2). A more modern solution where before the password is prompted,
the attempt is intercepted with a message such as "unauthorized
user".


I do not really understand solution 2.
You receive an "unauthorized user" only if the user is root.
Valid (but not root) and invalid users are prompted for a password.
Valid (but not root) users with a correct password are allowed to login.


Correct.  Or any other user who requires a secure TTY.


This looks similar to a pam_securetty.so configured with:
[success=ok new_authtok_reqd=ok user_unknown=ok ignore=ignore default=die]


That's Greek to me.  Despite repeated requests for funding, I was unable to 
get AIX to use PAM while I was the AIX security architect.  I understand 
that the money was finally budgeted and PAM was doing more properly since I 
left that department.



Depending on your CAPP profile, either may be appropriate -- when I
was the NSA Vendor Security Analyst for the first several IBM
security evaluations (I led four, as I recall), I used the more
classical approach, and that was approved both by the NSA and by

 
"that" is either of solution 1) or 2), or only one of them?


Well, if either is acceptable, then so are "both", unless the actual profile 
specified one or the other.  Both are capable of working, one just works ... 
differently.  The primary difference is that UNIX systems always prompted 
for the password.  When the user didn't exist, the encryption spin was still 
performed to prevent Timing Attacks as a means of performing an Enumerated 
User attack.  Since secure TTYs is now a standard feature, nothing is gained 
or lost either way.



whatever the German evaluation authority is called (something like
Government Agency for Security in Information Technologies, only in
German).  We did TCSEC, ITSEC and CC evaluations, as the different
schemes all worked their way through the industry.



From what I understand, you would recommend to change the default

/etc/pam.d/login to use a "required" pam_securetty.so.
Is that correct?


As I understand the current pam_securetty, that's correct.


This will cause the password to be asked for, but the login to be rejected
at the end.


The objective, in the long run, is to ALWAYS reject "root" on an insecure 
TTY.  How you achieve that objective has to fit in with the rest of the CAPP 
profile, including the prevention of User Enumeration attacks.



Thanks a lot for this!


Not a problem!  I wasn't able to kibitz with Shadow for 14 years while I 
worked for IBM.  But now that they've let me go, I plan to get involved 
again.  I like to think of the period as Shadow's "teenage years".  It's now 
22 years old and I figure it's time to be reunited with its mother ;)


-- Julie. 



--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Debian bug 531341

[Julie]

Nicolas,

I've taken the "bug" e-mail address out of the Cc list -- don't think this 
discussion would be productive there.


I had a feeling you weren't going to be able to quote a source -- the 
interpretation of the requirement is contradicting the clear intent of 
another requirement.  This means the interpretation is incorrect.


The purpose of the "root password doesn't flow on an insecure line" isn't to 
prevent all possible root passwords from flowing on the line -- consider the 
case where the user "rot" does exist, and "root" mistypes their password. 
Your interpretation misses that case.  Something is clearly wrong with the 
interpretation, then.


The purpose is that the root user cannot sign in over a secure line, 
regardless of whether or not the user knows the correct password.  There are 
two (equally valid) approaches --


1). The classic solution where root can enter the correct password, but the 
login attempt still reports "login incorrect" because it has failed the 
secure TTYs file test.


2). A more modern solution where before the password is prompted, the 
attempt is intercepted with a message such as "unauthorized user".


Depending on your CAPP profile, either may be appropriate -- when I was the 
NSA Vendor Security Analyst for the first several IBM security evaluations 
(I led four, as I recall), I used the more classical approach, and that was 
approved both by the NSA and by whatever the German evaluation authority is 
called (something like Government Agency for Security in Information 
Technologies, only in German).  We did TCSEC, ITSEC and CC evaluations, as 
the different schemes all worked their way through the industry.


I wrote many of the secure interfaces in Shadow when I was working on the 
B2/CMW evaluation of AIX 3.1S that never took place -- the secure TTYs 
functionality in Shadow today meets all of the requirements up through at 
least B2.  Since CAPP is "below" the old TCSEC B2 requirements (MAPP is the 
B-level requirements), there's no CAPP requirement for anything stronger 
than secure TTYs.


Now, the risk from user enumeration attacks, which you are allowing because 
of the "login incorrect" flow on an unknown user is fairly serious.  So, 
you've traded an attack that is successfully being prevented by the secure 
TTYs mechanism (root can't login even if the attacker knows the root 
password, unless the attacker has access to a secure line, and that violates 
the Physical Protection / Controlled Access requirements in most CAPP 
profiles), for one that can grant escalation of privilege -- attacker 
performs User Enumeration attack, followed by Password Dictionary attack, 
gains access, exploits local bug, escalates privilege.


-- Julie Haugh
creator, Linux Shadow Password Suite.

--
From: "NicolasFrançois" 
Sent: Monday, July 20, 2009 5:25 PM
To: 
Cc: <531...@bugs.debian.org>; 
Subject: Re: Debian bug 531341


Hello,

On Mon, Jul 20, 2009 at 02:01:27PM -0500, tallg...@austin.rr.com wrote:


I think that you're confusing the requirement that unknown user names
not be logged, because they might be a user's password with the
non-existent requirement that all unknown user names be treated like
"root" and not prompted for a password.


No, I was not mentioning the case where an user types her password instead
of her username.


If you still think you're right, I'd like to see the source for the
requirement.  I've been through a number of formal evaluations as the
vendor lead (IBM) and we never had that requirement under any evaluation
scheme.


I cannot point you to any source of requirements, except mine:
1. root's password should not be transmitted on insecure lines
   => The password should not be prompted if login is on an insecure line
  and login thinks the user might be root.
2. root can mistype her username
   => Any invalid user might be a mistyped "root"
3. login should not leak information about the valid usernames on the
   system.
   => The user should be prompted a password whether the username is valid
  or not.

I do not think those requirements can be satisfied at the same time.


The current /etc/pam.d/login contains:
auth   requisite  pam_securetty.so

The intent is that if root logs on a non secure line, the PAM stack is
interrupted immediately (changing requisite to required would just make
the login fail, but other modules in the PAM stack would be triggered),
hence the user will not be prompted for a password, hence (hopefully) the
root password will not pass through this insecure line.

Now if root mis-type her username (let say rot instead of root),
pam_securetty.so will just notice that this is an unknown username, and
will still return with an error. The stack will also be int

[no subject]

[Julie]

Want a Watch?
http://ath.hensi.com



-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.289 / Virus Database: 265.4.3 - Release Date: 11/26/2004


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]