NetBSD Problem Report #4417

Received: (qmail 11646 invoked from network); 3 Nov 1997 03:34:50 -0000
Message-Id: <199711030335.TAA01106@nooksack.ldc.cs.wwu.edu>
Date: Sun, 2 Nov 1997 19:35:58 -0800 (PST)
From: Scott.Burns@Netcontech.Com
To: gnats-bugs@gnats.netbsd.org
Subject: s/key implementation reveals existance of valid account names without S/Key
X-Send-Pr-Version: www-1.0

>Number:         4417
>Category:       security
>Synopsis:       s/key implementation reveals existance of valid account names without S/Key
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    security-officer
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Nov 02 19:50:01 +0000 1997
>Closed-Date:    Fri Jan 28 22:34:22 +0000 2000
>Last-Modified:  Fri Jan 28 22:39:21 +0000 2000
>Originator:     Scott Burns
>Release:        NetBSD/i386 V1.2.1
>Organization:
NETCON Technologies Inc.
>Environment:
NetBSD ncti40.ncti.com 1.2.1 NetBSD 1.2.1 (NCTI40) #0: Fri Apr 25 16:49:40 PDT 1
997     root@ncti40.ncti.com:/usr/src/sys/arch/i386/compile/NCTI40 i386


>Description:

>How-To-Repeat:
(Originally sent to tech-security as a plain e-mail as I had no send-pr
access at the time.)

In attempting to bring up s/key on a few key accounts on a machine
this weekend I ran into something I feel weakens it’s effectiveness
under NetBSD.

If I setup say the "root" account to have s/key, and another account
called jsmith does not have s/key, the following takes place:

telnet localhost

Login: nonuser
Password: s/key
Login incorrect

telnet localhost

Login: jsmith
Password: s/key
You have no s/key. Login incorrect

This now reveals to me that account jsmith is a valid account on this
machine, and does not use s/key, so I can begin to hack. Should this
extra message be removed ?

Or as mailed to me by angelos@dsl.cis.upenn.edu maybe:

I suppose the correct behaviour is to offer a bogus
challenge if the user is nonexistant or not setup for s/key (makes
debugging a bit more difficult).

>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: gnats-admin->security-officer 
Responsible-Changed-By: fair 
Responsible-Changed-When: Thu Jan 14 01:03:41 PST 1999 
Responsible-Changed-Why:  
This PR is the responsibility of the NetBSD Security Officer, 
not the GNATS database administrator. 
State-Changed-From-To: open->analyzed 
State-Changed-By: fair 
State-Changed-When: Mon Mar 15 21:52:29 PST 1999 
State-Changed-Why:  
In the modern age, it's very difficult to keep the user list of a host 
completely confidential, and I have to wonder if it's worthwhile. With 
this information, an attacker now has an account that he can try passwords 
against, or annoy with spam, or attempt to fill up /var/mail.... 

In the end, however, all these attacks reveal themselves to even a lazy 
system administrator. Is this additional atempt to raise the bar for 
a potential system attacker really worth the effort? 

From: Ignatios Souvatzis <ignatios@cs.uni-bonn.de>
To: gnats-bugs@netbsd.org
Cc: fair@netbsd.org
Subject: security/4417
Date: Wed, 6 Oct 1999 11:08:58 +0200

 If the 2nd option (creating a fake challenge) is easy to implement, it 
 should be done.

 Until then, the 1st option (at least to explictly admitting that there
 is an activated s/key on this system) should be done.

 We should not make data collection easier than it used to be on ancient BSD...

 Regards,
 	-is

From: "Martin J. Laubach" <mjl@emsi.priv.at>
To: gnats-bugs@netbsd.org
Cc: fair@netbsd.org, is@netbsd.org
Subject: security/4417
Date: Sat, 30 Oct 1999 02:41:07 +0200

   Meanwhile (1.4 and later) everything has changed:

 	login: mjl
 	Password [s/key 658 hedg29176]:

   while entering s/key at the password prompt will yield
 "login incorrect", no matter whether the user exists, or
 has s/key enabled.

   What now?

 	mjl


From: Ignatios Souvatzis <is@jocelyn.rhein.de>
To: "Martin J. Laubach" <mjl@emsi.priv.at>
Cc: gnats-bugs@netbsd.org, fair@netbsd.org, is@netbsd.org
Subject: Re: security/4417
Date: Sat, 30 Oct 1999 13:15:19 +0200

 On Sat, Oct 30, 1999 at 02:41:07AM +0200, Martin J. Laubach wrote:
 >   Meanwhile (1.4 and later) everything has changed:
 > 
 > 	login: mjl
 > 	Password [s/key 658 hedg29176]:
 > 
 >   while entering s/key at the password prompt will yield
 > "login incorrect", no matter whether the user exists, or
 > has s/key enabled.
 > 
 >   What now?

 That's even worse than before. OTOH, on a s/key enabled system, non-s/key
 users or rather, non-existent users could get a fake challenge, maybe?
 	-is

From: "Erik E. Fair" <fair@clock.org>
To: gnats-bugs@netbsd.org
Cc: Ignatios Souvatzis <is@netbsd.org>, "Martin J. Laubach" <mjl@netbsd.org>
Subject: Re: security/4417
Date: Wed, 26 Jan 2000 15:56:36 -0800

 OK, let me see if I have this problem figured out:

 1. we don't want to reveal any information about who has an account, 
 and who doesn't because that might help an attacker. Never mind that 
 such information from a multi-user UNIX system is routinely revealed 
 by other mechanisms (e.g. E-mail, IRC, identd, finger).

 2. Given #1, and a system with S/Key One Time Passwords enabled, the 
 fact of a user getting an S/Key prompt reveals that the user exists 
 and has an S/Key password. However, a valid user without an S/Key and 
 an invalid user (who, by definition, has no S/Key) are both greeted 
 by the standard "Password:" prompt.

 3. Therefore, we want to issue a bogus challenge, IFF S/Key is 
 enabled on the system for any users when we are presented with an 
 invalid username?

 Of course, if we do that, then the attacker can determine through 
 trial which users are valid, but do not have an S/Key.

 I think the status quo is fine. The users with the weakest 
 authentication mechanism are still hidden, at the expense of exposing 
 the users with a stronger authentication mechanism.

 I see no way to win (i.e. reveal no information) here, unless *all* 
 users have S/Keys, and I see no mechanism to test that (MxN password 
 file versus /etc/skeykeys file comparison every time someone tries to 
 login? I don't think that's such a hot idea).

 	Erik E. Fair <security-officer@netbsd.org>
State-Changed-From-To: analyzed->closed 
State-Changed-By: fair 
State-Changed-When: Fri Jan 28 14:34:22 PST 2000 
State-Changed-Why:  
Examination of the login.c source code and some thinking about the 
information revelation possibilities (and their mitigation) leads the 
Security Officer to close this PR leaving things status quo (which has 
changed since the PR was submitted) because there's no way to really win 
here - the question is simply who you screw and how because you must 
prompt S/Key users and non-S/Key users differently, and that reveals 
information. 

From: "Martin J. Laubach" <mjl@emsi.priv.at>
To: "Erik E. Fair" <fair@clock.org>
Cc: gnats-bugs@netbsd.org, Ignatios Souvatzis <is@netbsd.org>,
        "Martin J. Laubach" <mjl@netbsd.org>
Subject: Re: security/4417
Date: Sat, 5 Feb 2000 03:39:44 +0100

 | 1. we don't want to reveal any information about who has an account, 
 | and who doesn't because that might help an attacker. 

   We also do not want to give out information who has s/key
 login enabled.

 | 3. Therefore, we want to issue a bogus challenge, IFF S/Key is 
 | enabled on the system for any users when we are presented with an 
 | invalid username?

   No, if s/key is enabled, one would rather want to present _all_
 users -- no matter if (a) valid, no s/key, (b) valid, with s/key,
 or (c) invalid -- with a _credible_ s/key challenge.

   Of course this is aesthetically unpleasant and may be confusing
 to the user. So have it configurable somewhere.

 	mjl
>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.