Re: Any Account Logs In With Any Password
On Wed, 27 Oct 2010, Jordon Bedwell wrote: > On 10/27/2010 04:05 PM, Henrique de Moraes Holschuh wrote: > > On Mon, 25 Oct 2010, Michael Loftis wrote: > >> checks prior to this indicate a soft success. If you remove > >> authentication from your system, its expected that any attempt to > >> access will pass, barring and specific denial. > > > > If I remove authentication from my system, I expect it to tell me to get > > lost, as that is the _only_ safe failure scenario. Recovery is supposed to > > be done through single-user mode and sulogin in that case (if you don't have > > a root window already open somewhere, that is). > > > > This fail-unsafe behaviour looks like it is a "feature" of the default > > config being shipped in /etc/pam.d/common-*. I wonder what is the > > justification behind that decision... Hmm, looking at it very carefully, it is not. common-auth defines pam_deny as "requisite", and pam_permit as "required". This will *always* fail to autenticate, i.e. it IS failing safe (to a locked state). So, no, it is not a misfeature of the config being shipped. Now, if you manage to mess with that pam_deny, then, all hell breaks lose because the existence of that pam_permit disables libpam's internal fail-safe. We would be better off without that pam_permit line at all, if it is not important for some non-cosmetic reason (which it might well be! I am wondering what the reason is, however). But just commenting the pam_unix line should not be able to open the system wide open. > Wait, let me get this right. You have a *server running*, you then > *remove authentication* on said server and then you *expect* the system Remove authentication: You explicitly configure pam to remove authentication. That means adding a "sufficient pam_permit.so" at the right place, which is not something a typo should cause. Break authentication: A typo. Fail unsafe: system is now wide open. Security breaches are possible. Fail safe: system is now locked down for new autentications, already autenticated sessions keep working (and can be used to repair the system, for example). Special procedures can be used to restore normal operation in the worst case. No security breach happens because of the failure. So, yes, it is supposed to fail to locked down state, and the more resilient it is into failing to locked state when misconfigured (instead of opening the system to unauthorized access), the better. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101028023005.ge27...@khazad-dum.debian.net
Re: Any Account Logs In With Any Password
On Wed, Oct 27, 2010 at 19:16, Jordon Bedwell wrote: > On 10/27/2010 05:19 PM, Jim P wrote: >> Please move this thread to debian-u...@. EOM > > I find it ironic you top post and don't trim while asking people to move > something to Debian-User. That was posted from a mobile device. This isn't. It's a fact of modern life, as much as we dislike it. > This guy has what /he/ thinks is a /security > issue/. According to Debian this list is: Discussions about /security > issues/, including cryptographic issues, that are of interest to all > parts of the Debian community. But it's already been proven to NOT be a security issue. It's a user of Debian issue. -Jim P. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktim+uua4+hc9ki+9b3col1jvdqmxpixekejwy...@mail.gmail.com
Re: Any Account Logs In With Any Password
On 10/27/2010 05:19 PM, Jim P wrote: > Please move this thread to debian-u...@. EOM I find it ironic you top post and don't trim while asking people to move something to Debian-User. This guy has what /he/ thinks is a /security issue/. According to Debian this list is: Discussions about /security issues/, including cryptographic issues, that are of interest to all parts of the Debian community. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4cc8b2d7.90...@envygeeks.com
Re: Any Account Logs In With Any Password
Please move this thread to debian-u...@. EOM -Jim P. On Oct 27, 2010 6:16 PM, "Jordon Bedwell" wrote: > On 10/27/2010 04:05 PM, Henrique de Moraes Holschuh wrote: >> On Mon, 25 Oct 2010, Michael Loftis wrote: >>> checks prior to this indicate a soft success. If you remove >>> authentication from your system, its expected that any attempt to >>> access will pass, barring and specific denial. >> >> If I remove authentication from my system, I expect it to tell me to get >> lost, as that is the _only_ safe failure scenario. Recovery is supposed to >> be done through single-user mode and sulogin in that case (if you don't have >> a root window already open somewhere, that is). >> >> This fail-unsafe behaviour looks like it is a "feature" of the default >> config being shipped in /etc/pam.d/common-*. I wonder what is the >> justification behind that decision... > > Wait, let me get this right. You have a *server running*, you then > *remove authentication* on said server and then you *expect* the system > to tell everybody to go away? So if that is the case, why would you be > running the server in the first place? An ironic situation... I like > the idea of blaming the system for an administrators lack of competency > when it comes to systems security. > > > -- > To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/4cc89f0b.4090...@envygeeks.com >
Re: Any Account Logs In With Any Password
On 10/27/2010 04:05 PM, Henrique de Moraes Holschuh wrote: > On Mon, 25 Oct 2010, Michael Loftis wrote: >> checks prior to this indicate a soft success. If you remove >> authentication from your system, its expected that any attempt to >> access will pass, barring and specific denial. > > If I remove authentication from my system, I expect it to tell me to get > lost, as that is the _only_ safe failure scenario. Recovery is supposed to > be done through single-user mode and sulogin in that case (if you don't have > a root window already open somewhere, that is). > > This fail-unsafe behaviour looks like it is a "feature" of the default > config being shipped in /etc/pam.d/common-*. I wonder what is the > justification behind that decision... Wait, let me get this right. You have a *server running*, you then *remove authentication* on said server and then you *expect* the system to tell everybody to go away? So if that is the case, why would you be running the server in the first place? An ironic situation... I like the idea of blaming the system for an administrators lack of competency when it comes to systems security. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4cc89f0b.4090...@envygeeks.com
Re: Any Account Logs In With Any Password
On Wed, Oct 27, 2010 at 05:22:26PM -0400, Brad Tilley wrote: > I felt the same way. I understand that I removed authentication by > accidentally commenting out that line, but I thought that would cause > authentication to fail. Obviously, authentication is not succeeding, > it's just that authentication is not happening at all and you can type > anything and get a shell on the remote system (provided you know a user > name). In short, that behavior surprised me. I disagree: if authentication was removed from a system (regardless of whether by accident or not), I would expect the result to be a system with no authentication. Not a system in which authentication had become impossible. Perhaps a comment above the line, warning that removing that line removes the requirement of authentication? Regards, Mark. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101027220013.go13...@markv.18londonst.co.nz
Re: Any Account Logs In With Any Password
Don't want to sound flame bait but... This is just a typical pebkac problem. As an admin you are always able to remove authentication from a system no matter how "safe" the failsafe is. How about: don't experiment with stuff that you don't fully understand? The original post was about doing something that totally breaks the security of the system. If you move this function elsewhere, he might have changed that too! PAM is well documented and used everywhere. -- A bug magnet On Oct 27, 2010, at 17:05, Henrique de Moraes Holschuh wrote: > On Mon, 25 Oct 2010, Michael Loftis wrote: >> checks prior to this indicate a soft success. If you remove >> authentication from your system, its expected that any attempt to >> access will pass, barring and specific denial. > > If I remove authentication from my system, I expect it to tell me to get > lost, as that is the _only_ safe failure scenario. Recovery is supposed to > be done through single-user mode and sulogin in that case (if you don't have > a root window already open somewhere, that is). > > This fail-unsafe behaviour looks like it is a "feature" of the default > config being shipped in /etc/pam.d/common-*. I wonder what is the > justification behind that decision... > > -- > "One disk to rule them all, One disk to find them. One disk to bring > them all and in the darkness grind them. In the Land of Redmond > where the shadows lie." -- The Silicon Valley Tarot > Henrique Holschuh > > > -- > To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/20101027210533.gb27...@khazad-dum.debian.net > -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/94b209dd-3c03-4e3c-b30f-8f7859faa...@gmail.com
Re: Any Account Logs In With Any Password
Henrique de Moraes Holschuh wrote: > On Mon, 25 Oct 2010, Michael Loftis wrote: >> checks prior to this indicate a soft success. If you remove >> authentication from your system, its expected that any attempt to >> access will pass, barring and specific denial. > > If I remove authentication from my system, I expect it to tell me to get > lost, as that is the _only_ safe failure scenario. Recovery is supposed to > be done through single-user mode and sulogin in that case (if you don't have > a root window already open somewhere, that is). I felt the same way. I understand that I removed authentication by accidentally commenting out that line, but I thought that would cause authentication to fail. Obviously, authentication is not succeeding, it's just that authentication is not happening at all and you can type anything and get a shell on the remote system (provided you know a user name). In short, that behavior surprised me. I expected an authentication failure, but got a shell instead. Brad > This fail-unsafe behaviour looks like it is a "feature" of the default > config being shipped in /etc/pam.d/common-*. I wonder what is the > justification behind that decision... -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4cc89812.80...@16systems.com
Re: Any Account Logs In With Any Password
On Mon, 25 Oct 2010, Michael Loftis wrote: > checks prior to this indicate a soft success. If you remove > authentication from your system, its expected that any attempt to > access will pass, barring and specific denial. If I remove authentication from my system, I expect it to tell me to get lost, as that is the _only_ safe failure scenario. Recovery is supposed to be done through single-user mode and sulogin in that case (if you don't have a root window already open somewhere, that is). This fail-unsafe behaviour looks like it is a "feature" of the default config being shipped in /etc/pam.d/common-*. I wonder what is the justification behind that decision... -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101027210533.gb27...@khazad-dum.debian.net
Re: Any Account Logs In With Any Password
Depends on your full stack, but yes, this is the PAM behavior as checks prior to this indicate a soft success. If you remove authentication from your system, its expected that any attempt to access will pass, barring and specific denial. --On Monday, October 25, 2010 17:16 -0400 Brad Tilley wrote: While experimenting with PCI DSS on a default Debian Linux system, I found that when I comment out this line: authrequiredpam_unix.so nullok_secure in /etc/pam.d/common-auth, any account may ssh into the box by typing anything as the password. Is this the desired behavior? I would think that it would fail by default. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4cc5f3c3.5020...@vt.edu -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/85db4032fbdb47dbec79c...@[192.168.1.66]
Re: Any Account Logs In With Any Password
On Mon, Oct 25, 2010 at 05:16:51PM -0400, Brad Tilley wrote: > While experimenting with PCI DSS on a default Debian Linux system, I > found that when I comment out this line: > > authrequiredpam_unix.so nullok_secure > > in /etc/pam.d/common-auth, any account may ssh into the box by typing > anything as the password. Is this the desired behavior? I would think > that it would fail by default. If no authentication modules are 'required', then no authentication is required. Makes sense to me. noah signature.asc Description: Digital signature
Any Account Logs In With Any Password
While experimenting with PCI DSS on a default Debian Linux system, I found that when I comment out this line: authrequiredpam_unix.so nullok_secure in /etc/pam.d/common-auth, any account may ssh into the box by typing anything as the password. Is this the desired behavior? I would think that it would fail by default. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4cc5f3c3.5020...@vt.edu