pam-auth-update does not prohibit selecting an empty set of modules

Debian Bug report logs - #519927
pam-auth-update does not prohibit selecting an empty set of modules

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Russell Senior <seniorr@aracnet.com>

To: submit@bugs.debian.org

Subject: default response to libpam-runtime configuration disables unix passwords

Date: 16 Mar 2009 01:53:23 -0700

Package: libpam-runtime                 
Version: 1.0.1-7
Severity: critical

On some Debian unstable systems, configuring libpam-runtime leads to
the following question:

  # dpkg-reconfigure libpam-runtime
  Pluggable Authentication Modules (PAM) determine how authentication, 
  authorization, and password changing are handled on the system, as well as 
  allowing configuration of additional actions to take when starting user 
  sessions.

  Some PAM module packages provide profiles that can be used to automatically 
  adjust the behavior of all PAM-using applications on the system.  Please 
  indicate which of these behaviors you wish to enable.

    1. Unix authentication  2. none of the above

  (Enter the items you want to select, separated by spaces.)

  PAM profiles to enable: 

Pressing enter (with an empty default) results in Unix password
authentication being turned off.  This is unexpected and not very nice
behavior.  I have labelled severity as critical as it had the effect
of leaving a system accessible remotely without password for several
days, during which typical ssh robo-scans were able to log in freely
and trivially gain root.


-- 
Russell Senior         ``I have nine fingers; you have ten.''
seniorr@aracnet.com

Message #10 received at 519927@bugs.debian.org (full text, mbox, reply):

From: Aristeu Rozanski <aris@ruivo.org>

To: 519927@bugs.debian.org

Subject: same here

Date: Mon, 16 Mar 2009 11:20:14 -0400

I can confirm this problem. I've set a cron job to update the system everyday
and got this from /var/log/apt/term.log:
	Setting up libpam-runtime (1.0.1-7) ...
	debconf: unable to initialize frontend: Dialog
	debconf: (TERM is not set, so the dialog frontend is not usable.)
	debconf: falling back to frontend: Readline
	Pluggable Authentication Modules (PAM) determine how authentication, authorization, and password changing are handled on the system, as well as allowing configuration of additional actions to take when starting user sessions.

	Some PAM module packages provide profiles that can be used to automatically adjust the behavior of all PAM-using applications on the system.  Please indicate which of these behaviors you wish to enable.

	  1. Unix authentication  2. none of the above

	(Enter the items you want to select, separated by spaces.)

	PAM profiles to enable:
	Use of uninitialized value $_[1] in join or string at /usr/share/perl5/Debconf/DbDriver/Stack.pm line 104.
	(Reading database ... 313074 files and directories currently installed.)
	Preparing to replace libpam0g 1.0.1-5 (using .../libpam0g_1.0.1-7_i386.deb) ...
	Unpacking replacement libpam0g ...
	Setting up libpam0g (1.0.1-7) ...

but ssh doesn't appear to be affected by this, still asks for a password.

-- 
Aristeu

Message #15 received at 519927@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: Russell Senior <seniorr@aracnet.com>, 519927@bugs.debian.org

Subject: Re: Bug#519927: default response to libpam-runtime configuration disables unix passwords

Date: Tue, 17 Mar 2009 00:03:12 -0700

severity 519927 serious
thanks

On Mon, Mar 16, 2009 at 01:53:23AM -0700, Russell Senior wrote:

> On some Debian unstable systems, configuring libpam-runtime leads to
> the following question:

>   # dpkg-reconfigure libpam-runtime
>   Pluggable Authentication Modules (PAM) determine how authentication, 
>   authorization, and password changing are handled on the system, as well as 
>   allowing configuration of additional actions to take when starting user 
>   sessions.

>   Some PAM module packages provide profiles that can be used to automatically 
>   adjust the behavior of all PAM-using applications on the system.  Please 
>   indicate which of these behaviors you wish to enable.

>     1. Unix authentication  2. none of the above

>   (Enter the items you want to select, separated by spaces.)

>   PAM profiles to enable: 

> Pressing enter (with an empty default) results in Unix password
> authentication being turned off.

This happens only if:

- You set the debconf priority to medium or lower.
- You are using the readline frontend instead of the default dialog
  frontend.
- You do not have libterm-readline-gnu-perl installed.

To the extent that debconf doesn't inform you what the currently-selected
options are, that should probably be considered a debconf bug.  However,
with these settings you're going to get a lot of wrong "defaults" if you're
just hitting enter, and that's effectively user error for configuring
debconf that way and subsequently hitting enter...

> This is unexpected and not very nice behavior.  I have labelled severity
> as critical as it had the effect of leaving a system accessible remotely
> without password for several days, during which typical ssh robo-scans
> were able to log in freely and trivially gain root.

No, it's not very nice.  There are three possible courses of action here in
the case that the user selects an empty set of modules.  We can have a
default permit policy (fail open), a default deny policy (fail closed), or
we can force the user to choose one or more modules.

I had avoided going with the last option because it requires additional
debconf prompts that will require another round of translation; but if it's
not sufficiently obvious that it's an error to answer this question with an
empty set of modules, then that's what we'll need to do.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

Message #22 received at 519927@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: Aristeu Rozanski <aris@ruivo.org>, 519927@bugs.debian.org

Subject: Re: Bug#519927: same here

Date: Tue, 17 Mar 2009 00:51:39 -0700

On Mon, Mar 16, 2009 at 11:20:14AM -0400, Aristeu Rozanski wrote:

> I can confirm this problem. I've set a cron job to update the system
> everyday and got this from /var/log/apt/term.log:

Mmm, then your cronjob is broken.  You shouldn't auto-install packages from
a cronjob without first configuring debconf to use the noninteractive
frontend for this purpose; you will run into other problems besides this
one.

> but ssh doesn't appear to be affected by this, still asks for a password.

It asks for a password, but I believe you'll find that it accepts any
value.  You'll want to run 'pam-auth-update' as root to fix up your
authentication config immediately, if you haven't already done so.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

Message #29 received at 519927@bugs.debian.org (full text, mbox, reply):

From: Aristeu Rozanski <aris@ruivo.org>

To: Steve Langasek <vorlon@debian.org>, 519927@bugs.debian.org

Subject: Re: Bug#519927: same here

Date: Tue, 17 Mar 2009 11:16:21 -0400

> Mmm, then your cronjob is broken.  You shouldn't auto-install packages from
> a cronjob without first configuring debconf to use the noninteractive
> frontend for this purpose; you will run into other problems besides this
> one.
fixed, thanks.

> > but ssh doesn't appear to be affected by this, still asks for a password.
> 
> It asks for a password, but I believe you'll find that it accepts any
> value.  You'll want to run 'pam-auth-update' as root to fix up your
> authentication config immediately, if you haven't already done so.
I remember checking this with blank password and other random typed passwords
and it didn't work.
And yes, I ran pam-auth-update as soon I found what was going on.
Thanks Steve,

-- 
Aristeu

Message #56 received at 519927-close@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: 519927-close@bugs.debian.org

Subject: Bug#519927: fixed in pam 1.0.1-10

Date: Fri, 07 Aug 2009 09:48:15 +0000

Source: pam
Source-Version: 1.0.1-10

We believe that the bug you reported is fixed in the latest version of
pam, which is due to be installed in the Debian FTP archive:

libpam-cracklib_1.0.1-10_amd64.deb
  to pool/main/p/pam/libpam-cracklib_1.0.1-10_amd64.deb
libpam-doc_1.0.1-10_all.deb
  to pool/main/p/pam/libpam-doc_1.0.1-10_all.deb
libpam-modules_1.0.1-10_amd64.deb
  to pool/main/p/pam/libpam-modules_1.0.1-10_amd64.deb
libpam-runtime_1.0.1-10_all.deb
  to pool/main/p/pam/libpam-runtime_1.0.1-10_all.deb
libpam0g-dev_1.0.1-10_amd64.deb
  to pool/main/p/pam/libpam0g-dev_1.0.1-10_amd64.deb
libpam0g_1.0.1-10_amd64.deb
  to pool/main/p/pam/libpam0g_1.0.1-10_amd64.deb
pam_1.0.1-10.diff.gz
  to pool/main/p/pam/pam_1.0.1-10.diff.gz
pam_1.0.1-10.dsc
  to pool/main/p/pam/pam_1.0.1-10.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 519927@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve Langasek <vorlon@debian.org> (supplier of updated pam package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 06 Aug 2009 17:54:32 +0100
Source: pam
Binary: libpam0g libpam-modules libpam-runtime libpam0g-dev libpam-cracklib libpam-doc
Architecture: source all amd64
Version: 1.0.1-10
Distribution: unstable
Urgency: high
Maintainer: Steve Langasek <vorlon@debian.org>
Changed-By: Steve Langasek <vorlon@debian.org>
Description: 
 libpam-cracklib - PAM module to enable cracklib support
 libpam-doc - Documentation of PAM
 libpam-modules - Pluggable Authentication Modules for PAM
 libpam-runtime - Runtime support for the PAM library
 libpam0g   - Pluggable Authentication Modules library
 libpam0g-dev - Development files for PAM
Closes: 439268 514437 519927 520115 520785 521530 521874 524285
Changes: 
 pam (1.0.1-10) unstable; urgency=high
 .
   [ Steve Langasek ]
   * Updated debconf translations:
     - Finnish, thanks to Esko Arajärvi <edu@iki.fi> (closes: #520785)
     - Russian, thanks to Yuri Kozlov <yuray@komyakino.ru> (closes: #521874)
     - German, thanks to Sven Joachim <svenjoac@gmx.de> (closes: #521530)
     - Basque, thanks to Piarres Beobide <pi+debian@beobide.net>
       (closes: #524285)
   * When no profiles are chosen in pam-auth-update, throw an error message
     and prompt again instead of letting the user end up with an insecure
     system.  This introduces a new debconf template.  Closes: #519927,
     LP: #410171.
 .
   [ Kees Cook ]
   * Add debian/patches/pam_1.0.4_mindays: backport upstream 1.0.4 fixes
     for MINDAYS-Field regression (closes: #514437).
   * debian/control: add missing misc:Depends for packages that need it.
 .
   [ Sam Hartman ]
   * Remove conflicts information for transitions prior to woody release
   * Fix lintian overrides for libpam-runtime
   * Overrides for lintian finding quilt patches
   * pam_mail-fix-quiet: patch from Andreas Henriksson
     applied upstream to fix quiet option of pam_mail, Closes: #439268
 .
   [ Dustin Kirkland ]
   * debian/patches/update-motd: run the update-motd scripts in pam_motd;
     render update-motd obsolete, LP: #399071
 .
   [ Sam Hartman ]
   * cve-2009-0887-libpam-pam_misc.patch: avoid integer signedness problem
     (CVE-2009-0887) (Closes: #520115)
Checksums-Sha1: 
 a34c54b08bdbdb2b449fc4ea7f698c6a6544ca83 1476 pam_1.0.1-10.dsc
 2352cfcab3b9dfd58288f689dd8185f6e25ff5c3 168757 pam_1.0.1-10.diff.gz
 1c0f22a6142387a89fb61f0c64e3d2b365fb4472 185302 libpam-runtime_1.0.1-10_all.deb
 82e4437148dd3eb0339f823efca1542f3a8936e3 290030 libpam-doc_1.0.1-10_all.deb
 89593e28667fbd096a603e9aa671182a7b9e76dc 107424 libpam0g_1.0.1-10_amd64.deb
 ba5ee564239ccc995c70dcd9e026ddf37b683acb 308352 libpam-modules_1.0.1-10_amd64.deb
 91e97cfca222cbbf1759622f7f6e16a97aad0385 164620 libpam0g-dev_1.0.1-10_amd64.deb
 3622324c43229759bdf46b08f6c99400f0c69c5f 67122 libpam-cracklib_1.0.1-10_amd64.deb
Checksums-Sha256: 
 524ad52a2cb21ef2d7d0b3e789502b6b018331d8762ea1b8fc2d1ad3c846893f 1476 pam_1.0.1-10.dsc
 3a77a847b3047e953c21d20eac91fb5082abe2aaafbd60c3fa67b916b8a9541a 168757 pam_1.0.1-10.diff.gz
 bcc1d318615ca39e42b3ff096d740269d98f767bf91ff0fa556d49ca39afd09c 185302 libpam-runtime_1.0.1-10_all.deb
 f265f0f496c38f6090423dde359af0d94ffef70f316f46e91ceb3356d047d714 290030 libpam-doc_1.0.1-10_all.deb
 d5550e7e11f46084c8f90f14cc270791dcdbb034bce72e565182923ed3fad85b 107424 libpam0g_1.0.1-10_amd64.deb
 295ed8f48dd1d80f5c838d2832ee4277afb7ef5c34f154fd0a7003fabb71f8c5 308352 libpam-modules_1.0.1-10_amd64.deb
 0e857df2a93516c824b32fd3a0d429b0ff60d9d4071f5c9aef6f9648de824aa5 164620 libpam0g-dev_1.0.1-10_amd64.deb
 bf473afe6779e4abe1c5db16cea16c7624f147be97ca9bb98ac4c7654e32ed07 67122 libpam-cracklib_1.0.1-10_amd64.deb
Files: 
 e855122d140c1a44924fb54626054589 1476 libs optional pam_1.0.1-10.dsc
 92722914c958c0a61b824ff3279a761c 168757 libs optional pam_1.0.1-10.diff.gz
 fd6d366f7937cdcb815324567c7687e4 185302 admin required libpam-runtime_1.0.1-10_all.deb
 1bb98d626982f15d37a2067fd5bbdf53 290030 doc optional libpam-doc_1.0.1-10_all.deb
 dc49fdff0e24efdcc8e565b62313a4e5 107424 libs required libpam0g_1.0.1-10_amd64.deb
 e8b87833baa1ab14e81cd07e1d625ab2 308352 admin required libpam-modules_1.0.1-10_amd64.deb
 58844a1f9adfd79ee6418857b343fc2c 164620 libdevel optional libpam0g-dev_1.0.1-10_amd64.deb
 d5b97024de0f82e6a0342c0a1ae4e6b5 67122 admin optional libpam-cracklib_1.0.1-10_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKe+8IKN6ufymYLloRAmILAKCsex73eImP7a223I7bL736aBJSxACeIncJ
4BG4q4uLjYnmhrb90deF6Ak=
=wLvA
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.