| Issue 12: | PAM module doesn't verify length of password before parsing | |
| 1 person starred this issue and may be notified of changes. | Back to list |
What steps will reproduce the problem? 1. Attempt to login to a ybuikey enabled ssh daemon 2. enter a password less than 44 characters What version of the product are you using? On what operating system? version 1.11 on Ubuntu 8.04 Please provide any additional information below. This code never checks to see if the length of the entered password is long enough to contain a OTP before it splits it up into pieces. In my scenario, a user without a yubikey, enters their password and the pam module attempts to split it into the base password and OTP pieces. Since the password is less that 44 chars the code attempts to strncpy from an invalid memory location. |
||
,
Mar 11, 2009
Here is a patch that adds the password check mentioned above. It also changes how yubikey ids are checked. After it gets the username, it then goes and retrieves the ids associated with the user. If a user doesn't have any key ids, it returns PAM_SUCCESS so pam moves on. This also contains the 64bit patch from the forums. I haven't had a chance to test it significantly, I left my yubikey at work. I'll try and do some more testing soon. richard
|
||
,
Mar 11, 2009
Had a logic error in the previous patch. I should also point out that I don't have an ldap server to test my changes, but i think it should work. richard
|
||
,
Mar 31, 2009
The current release now check length of OTP before splitting it up. Please test it. And thanks for the report! |
||
,
May 12, 2009
The whole length checking is a bit broken. It has a fixed length of 44 characters for TOKEN_LEN and 12 for TOKEN_ID_LEN. But in my case i had to change this to 48 and 16. |
||
 Sign in to add a comment
|
