Skip to content

Commit

Permalink
pam_unix: avoid determining if user exists
Browse files Browse the repository at this point in the history
Taking a look at the time for the password prompt to appear it was
possible to determine if a user existed in a system. Solved it by
matching the runtime until the password prompt was shown by always
checking the password hash for an existing and a non-existing user.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1629598
  • Loading branch information
ikerexxe authored and t8m committed Jun 17, 2020
1 parent 395915d commit af0faf6
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 7 deletions.
6 changes: 6 additions & 0 deletions modules/pam_unix/passverify.c
Original file line number Diff line number Diff line change
Expand Up @@ -1096,6 +1096,12 @@ helper_verify_password(const char *name, const char *p, int nullok)
if (pwd == NULL || hash == NULL) {
helper_log_err(LOG_NOTICE, "check pass; user unknown");
retval = PAM_USER_UNKNOWN;
} else if (p[0] == '\0' && nullok) {
if (hash[0] == '\0') {
retval = PAM_SUCCESS;
} else {
retval = PAM_AUTH_ERR;
}
} else {
retval = verify_pwd_hash(p, hash, nullok);
}
Expand Down
33 changes: 26 additions & 7 deletions modules/pam_unix/support.c
Original file line number Diff line number Diff line change
Expand Up @@ -601,6 +601,8 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned long long ctrl, const char *name
char *salt = NULL;
int daysleft;
int retval;
int execloop = 1;
int nonexistent = 1;

D(("called"));

Expand All @@ -624,14 +626,31 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned long long ctrl, const char *name

/* UNIX passwords area */

retval = get_pwd_hash(pamh, name, &pwd, &salt);
/*
* Execute this loop twice: one checking the password hash of an existing
* user and another one for a non-existing user. This way the runtimes
* are equal, making it more difficult to differentiate existing from
* non-existing users.
*/
while (execloop) {
retval = get_pwd_hash(pamh, name, &pwd, &salt);

if (retval == PAM_UNIX_RUN_HELPER) {
/* salt will not be set here so we can return immediately */
if (_unix_run_helper_binary(pamh, NULL, ctrl, name) == PAM_SUCCESS)
return 1;
else
return 0;
if (retval == PAM_UNIX_RUN_HELPER) {
execloop = 0;
if(nonexistent) {
get_pwd_hash(pamh, "pam_unix_non_existent:", &pwd, &salt);
}
/* salt will not be set here so we can return immediately */
if (_unix_run_helper_binary(pamh, NULL, ctrl, name) == PAM_SUCCESS)
return 1;
else
return 0;
} else if (retval == PAM_USER_UNKNOWN) {
name = "root";
nonexistent = 0;
} else {
execloop = 0;
}
}

/* Does this user have a password? */
Expand Down

0 comments on commit af0faf6

Please sign in to comment.