From af0faf666c5008e54dfe43684f210e3581ff1bca Mon Sep 17 00:00:00 2001 From: ikerexxe Date: Tue, 16 Jun 2020 14:32:36 +0200 Subject: [PATCH 1/2] pam_unix: avoid determining if user exists Taking a look at the time for the password prompt to appear it was possible to determine if a user existed in a system. Solved it by matching the runtime until the password prompt was shown by always checking the password hash for an existing and a non-existing user. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1629598 --- modules/pam_unix/passverify.c | 6 ++++++ modules/pam_unix/support.c | 33 ++++++++++++++++++++++++++------- 2 files changed, 32 insertions(+), 7 deletions(-) diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c index a571b4f7..7455eae6 100644 --- a/modules/pam_unix/passverify.c +++ b/modules/pam_unix/passverify.c @@ -1096,6 +1096,12 @@ helper_verify_password(const char *name, const char *p, int nullok) if (pwd == NULL || hash == NULL) { helper_log_err(LOG_NOTICE, "check pass; user unknown"); retval = PAM_USER_UNKNOWN; + } else if (p[0] == '\0' && nullok) { + if (hash[0] == '\0') { + retval = PAM_SUCCESS; + } else { + retval = PAM_AUTH_ERR; + } } else { retval = verify_pwd_hash(p, hash, nullok); } diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c index 41db1f04..dc67238c 100644 --- a/modules/pam_unix/support.c +++ b/modules/pam_unix/support.c @@ -601,6 +601,8 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned long long ctrl, const char *name char *salt = NULL; int daysleft; int retval; + int execloop = 1; + int nonexistent = 1; D(("called")); @@ -624,14 +626,31 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned long long ctrl, const char *name /* UNIX passwords area */ - retval = get_pwd_hash(pamh, name, &pwd, &salt); + /* + * Execute this loop twice: one checking the password hash of an existing + * user and another one for a non-existing user. This way the runtimes + * are equal, making it more difficult to differentiate existing from + * non-existing users. + */ + while (execloop) { + retval = get_pwd_hash(pamh, name, &pwd, &salt); - if (retval == PAM_UNIX_RUN_HELPER) { - /* salt will not be set here so we can return immediately */ - if (_unix_run_helper_binary(pamh, NULL, ctrl, name) == PAM_SUCCESS) - return 1; - else - return 0; + if (retval == PAM_UNIX_RUN_HELPER) { + execloop = 0; + if(nonexistent) { + get_pwd_hash(pamh, "pam_unix_non_existent:", &pwd, &salt); + } + /* salt will not be set here so we can return immediately */ + if (_unix_run_helper_binary(pamh, NULL, ctrl, name) == PAM_SUCCESS) + return 1; + else + return 0; + } else if (retval == PAM_USER_UNKNOWN) { + name = "root"; + nonexistent = 0; + } else { + execloop = 0; + } } /* Does this user have a password? */ -- 2.26.2 From 0e9b286afe1224b91ff00936058b084ad4b776e4 Mon Sep 17 00:00:00 2001 From: ikerexxe Date: Tue, 16 Jun 2020 14:44:04 +0200 Subject: [PATCH 2/2] pam_usertype: avoid determining if user exists Taking a look at the time for the password prompt to appear it was possible to determine if a user existed in a system. Solved it by matching the runtime until the password prompt was shown by always checking the password hash for an existing and a non-existing user. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1629598 --- modules/pam_usertype/pam_usertype.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/modules/pam_usertype/pam_usertype.c b/modules/pam_usertype/pam_usertype.c index 2807c306..d03b73b5 100644 --- a/modules/pam_usertype/pam_usertype.c +++ b/modules/pam_usertype/pam_usertype.c @@ -139,8 +139,11 @@ pam_usertype_get_uid(struct pam_usertype_opts *opts, "error retrieving information about user %s", username); } + pam_modutil_getpwnam(pamh, "root"); + return PAM_USER_UNKNOWN; } + pam_modutil_getpwnam(pamh, "pam_usertype_non_existent:"); *_uid = pwd->pw_uid; -- 2.26.2