Subject: bin/2768: s/key and login
To: None <gnats-bugs@gnats.netbsd.org>
From: None <daw@panix.com>
List: netbsd-bugs
Date: 09/18/1996 14:29:25
>Number: 2768
>Category: bin
>Synopsis: /usr/bin/login leaks info if skey compiled in.
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: bin-bug-people (Utility Bug People)
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Sep 18 11:50:02 1996
>Last-Modified:
>Originator: Nathaniel D. Daw
>Organization:
Piermont Information Systems
>Release: NetBSD 1.2beta 8/96
>Environment:
System: NetBSD daw.dialup.access.net 1.2_BETA NetBSD 1.2_BETA (NAT2) #21: Fri Aug 2 10:04:22 EDT 1996 nat@dialup227.cc.columbia.edu:/usr/src/sys/arch/i386/compile/NAT2 i386
>Description:
The s/key features in /usr/bin/login if compiled with -DSKEY
allow any stranger off the net to determine if any given
username corresponds to an account on the system. For a number
of reasons, this may be more information than some sites want
to disclose.
>How-To-Repeat:
There are three categories of user names handled by login:
those which have accounts with skey passwords, those which
have accounts without skey passwords, and those which don't
have accounts.
All three of these categories can be distinguished for a given
username simply by specifying the password "s/key" to login
for that username. In the first case, you will receive a
challenge like:
[s/key 98 nat.40285]
Response:
In the second you will receive the message:
You have no s/key. Login incorrect
And in the third you will receive only the message:
Login incorrect
Thus anyone can always distinguish between accounts and
nonaccounts.
>Fix:
A simple, immediate patch is to delete the line
fprintf(stderr, "You have no s/key. ");
from src/usr.bin/login/login.c. Then there is no way for
outsiders to distinguish between an account which doesn't
exist and an account which exists but has no s/key.
Strangers can still distinguish between accounts with skeys
and other accounts; to fix this requires issuing fake s/key
challenges. Code for this is in the OPIE distribution.
>Audit-Trail:
>Unformatted: