[Secure-testing-team] Bug#482352: libpam-runtime: login for nonexistent user fails without password prompt
Nicholas Fleisher
nfleisher at gmail.com
Thu May 22 02:16:33 UTC 2008
Package: libpam-runtime
Version: 0.99.7.1-6
Severity: grave
Tags: security
Justification: user security hole
At console login, an invalid username will cause the login procedure to
fail *before* it prompts you for a password. (I only discovered this
because I accidentally mistyped my username.) This allows someone to
discover, without ever logging in, whether a given username exists on
the system or not. Seems like an important security issue. The exact
same issue cropped up on Arch Linux last fall (Nov 2007), where it was
determined to be a libpam problem. I don't know enough to know which
libpam package precisely is involved, but I only have three on my
system: libpam-modules, libpam-runtime, libpam0g, all with the same
maintainer, so hopefully this is getting to the right person.
Relevant Arch bug report:
http://bugs.archlinux.org/task/8742
Apologies if I've reported this as too severe: it was dealt with as high
severity in Arch, and seems like a major issue to this layman. Wish I
could tell you more, but as far as I can tell that's the extent of the
problem; everything works just fine if you login with a name that exists
on the system.
-NF
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.24-1-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
-- no debconf information
More information about the Secure-testing-team
mailing list