From roam@ringlet.net  Fri Dec  6 06:36:38 2002
Return-Path: <roam@ringlet.net>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id DAD8837B401
	for <FreeBSD-gnats-submit@freebsd.org>; Fri,  6 Dec 2002 06:36:38 -0800 (PST)
Received: from straylight.ringlet.net (office.sbnd.net [217.75.140.130])
	by mx1.FreeBSD.org (Postfix) with SMTP id 8DAA243E4A
	for <FreeBSD-gnats-submit@freebsd.org>; Fri,  6 Dec 2002 06:36:34 -0800 (PST)
	(envelope-from roam@ringlet.net)
Received: (qmail 10950 invoked by uid 1000); 6 Dec 2002 14:36:03 -0000
Message-Id: <20021206143603.10949.qmail@straylight.ringlet.net>
Date: 6 Dec 2002 14:36:03 -0000
From: Peter Pentchev <roam@FreeBSD.org>
Reply-To: Peter Pentchev <roam@FreeBSD.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [PATCH] OPIE and S/Key PAM prompt echoing fixes
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         46025
>Category:       bin
>Synopsis:       [PATCH] OPIE and S/Key PAM prompt echoing fixes
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    des
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Dec 06 06:40:01 PST 2002
>Closed-Date:    Mon Feb 10 04:15:53 PST 2003
>Last-Modified:  Mon Feb 10 04:15:53 PST 2003
>Originator:     Peter Pentchev <roam@FreeBSD.org>
>Release:        FreeBSD 4.7-STABLE i386
>Organization:
SBND Technologies Ltd.
>Environment:
System: FreeBSD straylight.oblivion.bg 4.7-STABLE FreeBSD 4.7-STABLE #6: Fri Dec 6 11:53:43 EET 2002 roam@straylight.oblivion.bg:/usr/obj/usr/src/sys/RINGWORLD i386

>Description:

The S/Key and OPIE PAM modules allow the user to see the pass phrase's
characters as they are entered.  This is done by turning on a PAM
conversation option that controls echoing of the entered passwords;
however, both modules neglect to turn it off afterwards, so if there are
additional authentication modules used if the S/Key or OPIE login should
fail, the passwords for those modules are echoed as they are entered.
This may be highly undesirable in certain situations :)

This has been tested using the Linux-PAM implementation in -STABLE;
unfortunately, I cannot test it on a -CURRENT system with OpenPAM right
now, but if this problem exists there too, then IMHO it is something
that should be fixed before 5.0 rolls out the door.  This is the reason
I have marked this PR as serious/high.

>How-To-Repeat:

Configure OPIE or S/Key authentication on a 4.7-STABLE box.

Try to log in.

Press 'Enter' on the first OPIE or S/Key password prompt, so that the
'Password: [echo on]' prompt is displayed.

Press 'Enter' or enter an invalid password at the 'echo on' prompt.

Wait for the normal pam_unix or krb5 or whatever 'Password' prompt to
appear, then watch in horrified fascination as your password is echoed
straight back at you as you type it in.

>Fix:

Note that the fix below only works if the PAM conversation mechanism
used actually honors the 'echo on' flag, or rather, handles the
'off-on-off' series of transitions properly; there is a separate problem
with using the security/sudo port, which I will submit as a separate PR.
Even with the above fixes, sudo will echo back the password for later
auth modules unless the patch to come in the next PR is applied to the
port.

Index: src/contrib/libpam/libpam_misc/misc_conv.c
===================================================================
RCS file: /home/ncvs/src/contrib/libpam/libpam_misc/Attic/misc_conv.c,v
retrieving revision 1.1.1.1.6.2
diff -u -r1.1.1.1.6.2 misc_conv.c
--- src/contrib/libpam/libpam_misc/misc_conv.c	11 Jun 2001 15:28:15 -0000	1.1.1.1.6.2
+++ src/contrib/libpam/libpam_misc/misc_conv.c	6 Dec 2002 14:21:03 -0000
@@ -181,7 +181,9 @@
 	    return NULL;
 	}
 	memcpy(&term_tmp, &term_before, sizeof(term_tmp));
-	if (!echo) {
+	if (echo) {
+	    term_tmp.c_lflag |= ECHO;
+	} else {
 	    term_tmp.c_lflag &= ~(ECHO);
 	}
 	have_term = 1;
Index: src/lib/libpam/modules/pam_opie/pam_opie.c
===================================================================
RCS file: /home/ncvs/src/lib/libpam/modules/pam_opie/pam_opie.c,v
retrieving revision 1.1.2.1
diff -u -r1.1.2.1 pam_opie.c
--- src/lib/libpam/modules/pam_opie/pam_opie.c	3 Jul 2002 21:41:30 -0000	1.1.2.1
+++ src/lib/libpam/modules/pam_opie/pam_opie.c	6 Dec 2002 14:19:44 -0000
@@ -69,7 +69,7 @@
 	struct opie opie;
 	struct options options;
 	struct passwd *pwd;
-	int retval, i;
+	int retval, i, echo;
 	const char *(promptstr[]) = { "%s\nPassword: ", "%s\nPassword [echo on]: "};
 	char challenge[OPIE_CHALLENGE_MAX];
 	char prompt[OPIE_CHALLENGE_MAX+22];
@@ -118,10 +118,14 @@
 	 */
 	pam_set_item(pamh, PAM_AUTHTOK, NULL);
 
+	echo = pam_test_option(&options, PAM_OPT_ECHO_PASS, NULL);
+
 	for (i = 0; i < 2; i++) {
 		snprintf(prompt, sizeof prompt, promptstr[i], challenge);
 		retval = pam_get_pass(pamh, &response, prompt, &options);
 		if (retval != PAM_SUCCESS) {
+			if (!echo)
+				pam_clear_option(&options, PAM_OPT_ECHO_PASS);
 			opieunlock();
 			return (retval);
 		}
@@ -134,6 +138,9 @@
 		/* Second time round, echo the password */
 		pam_set_option(&options, PAM_OPT_ECHO_PASS);
 	}
+
+	if (!echo)
+		pam_clear_option(&options, PAM_OPT_ECHO_PASS);
 
 	/* We have to copy the response, because opieverify mucks with it. */
 	strlcpy(resp, response, sizeof (resp));
Index: src/lib/libpam/modules/pam_skey/pam_skey.c
===================================================================
RCS file: /home/ncvs/src/lib/libpam/modules/pam_skey/Attic/pam_skey.c,v
retrieving revision 1.2.6.1
diff -u -r1.2.6.1 pam_skey.c
--- src/lib/libpam/modules/pam_skey/pam_skey.c	3 Jul 2002 21:41:30 -0000	1.2.6.1
+++ src/lib/libpam/modules/pam_skey/pam_skey.c	6 Dec 2002 14:18:58 -0000
@@ -83,8 +83,9 @@
 		pam_set_option(&options, PAM_OPT_ECHO_PASS);
 		snprintf(prompt, sizeof prompt,
 			 "%s\nPassword [echo on]: ", challenge);
-		if ((retval = pam_get_pass(pamh, &response, prompt,
-		    &options)) != PAM_SUCCESS)
+		retval = pam_get_pass(pamh, &response, prompt, &options);
+		pam_clear_option(&options, PAM_OPT_ECHO_PASS);
+		if (retval != PAM_SUCCESS)
 			return retval;
 	}
 	/*
>Release-Note:
>Audit-Trail:

From: Peter Pentchev <roam@ringlet.net>
To: FreeBSD-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: bin/46025: [PATCH] OPIE and S/Key PAM prompt echoing fixes
Date: Fri, 6 Dec 2002 16:50:54 +0200

 On Fri, Dec 06, 2002 at 02:36:03PM -0000, Peter Pentchev wrote:
 > 
 > >Number:         46025
 > >Category:       bin
 > >Synopsis:       [PATCH] OPIE and S/Key PAM prompt echoing fixes
 [snip]
 > Note that the fix below only works if the PAM conversation mechanism
 > used actually honors the 'echo on' flag, or rather, handles the
 > 'off-on-off' series of transitions properly; there is a separate problem
 > with using the security/sudo port, which I will submit as a separate PR.
 > Even with the above fixes, sudo will echo back the password for later
 > auth modules unless the patch to come in the next PR is applied to the
 > port.
 
 For testing involving the sudo port, note that the fix has been
 submitted as PR ports/46026.
 
 G'luck,
 Peter
 
 -- 
 Peter Pentchev	roam@ringlet.net	roam@FreeBSD.org
 PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
 Key fingerprint	FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
 I've heard that this sentence is a rumor.
Responsible-Changed-From-To: freebsd-bugs->des 
Responsible-Changed-By: roam 
Responsible-Changed-When: Mon Feb 3 04:35:53 PST 2003 
Responsible-Changed-Why:  
Over to our PAM maintainer; DES, could you take a look at this 
in -STABLE, since you said that -CURRENT does not have this problem? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=46025 
State-Changed-From-To: open->closed 
State-Changed-By: des 
State-Changed-When: Mon Feb 10 04:15:52 PST 2003 
State-Changed-Why:  
Fixed, thanks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=46025 
>Unformatted:
