Debian Bug report logs - #99168
ssh: identifying root's password by measuring password-failure delays

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Oskar Liljeblad <osk@hem.passagen.se>

To: submit@bugs.debian.org

Subject: ssh: identifying root's password by measuring password-failure delays

Date: Tue, 29 May 2001 19:06:21 +0200

Package: ssh
Version: 1:2.5.2p2-2.1
Severity: normal

I don't know how to categorise this behaviour, but I consider
it a bug. (If not a bug, at least mention it in README.Debian.)

Logging in with root through ssh is not possible in the default
configuration of openssh in Debian. However, when you try to log
in as root, and use root's correct password, you will _immediately_
be presented with this message:

  Permission denied, please try again.

Normally (as in the case when you enter an invalid password, even
for root), that message is first printed after a 1-2 second delay.

Oskar Liljeblad (osk@hem.passagen.se)

-- System Information
Debian Release: testing/unstable
Kernel Version: Linux oskar 2.2.19 #1 SMP Wed May 9 08:10:45 CEST 2001 i686 unknown

Versions of the packages ssh depends on:
ii  debconf        0.9.62         Debian configuration management system
ii  libc6          2.2.3-1        GNU C Library: Shared libraries and Timezone
ii  libpam-modules 0.72-24        Pluggable Authentication Modules for PAM
ii  libpam0g       0.72-24        Pluggable Authentication Modules library
ii  libssl0.9.6    0.9.6-2        SSL shared libraries
ii  libwrap0       7.6-7          Wietse Venema's TCP wrappers library
ii  zlib1g         1.1.3-15       compression library - runtime

Message #10 received at 99168@bugs.debian.org (full text, mbox, reply):

From: Ian Jackson <ian@davenant.greenend.org.uk>

To: 99168@bugs.debian.org, 99168-submitter@bugs.debian.org

Subject: A patch for permitrootlogin no

Date: Thu, 23 Aug 2001 02:11:50 +0100 (BST)

The n-second delay is done by PAM, which provides no way to find out
how long it can be, or to simulate it.  The problem is really that
`PermitRootLogin no' takes effect *after* the authentication has taken
place, rather than rejecting the attempt to authenticate.

The patch below may fix this I think, but I HAVE NOT TESTED IT AT ALL.
It compiles :-).  Given its nature, if we like it, we should send it
upstream ASAP.

Ian.

diff -ru orig/openssh-2.9p2/auth.c openssh-2.9p2/auth.c
--- orig/openssh-2.9p2/auth.c	Mon Mar 19 22:15:57 2001
+++ openssh-2.9p2/auth.c	Thu Aug 23 02:06:13 2001
@@ -202,23 +202,34 @@
  * Check whether root logins are disallowed.
  */
 int
-auth_root_allowed(char *method)
+auth_allowed(const Authctxt *authctxt, const char *method)
 {
-	switch (options.permit_root_login) {
-	case PERMIT_YES:
-		return 1;
-		break;
-	case PERMIT_NO_PASSWD:
-		if (strcmp(method, "password") != 0)
-			return 1;
-		break;
-	case PERMIT_FORCED_ONLY:
-		if (forced_command) {
-			log("Root login accepted for forced command.");
+
+#ifndef HAVE_CYGWIN
+	/* Check the special handling for root */
+	if (authctxt->pw->pw_uid == 0) {
+
+		switch (options.permit_root_login) {
+		case PERMIT_YES:
 			return 1;
+			break;
+		case PERMIT_NO_PASSWD:
+			if (strcmp(method, "password") != 0)
+				return 1;
+			break;
+		case PERMIT_FORCED_ONLY:
+			if (forced_command) {
+				log("root auth in progress (forced command).");
+				return 1;
+			}
+			break;
 		}
-		break;
+		log("ROOT LOGIN AUTH (%s) REJECTED FROM %.200s",
+		    method, get_remote_ipaddr());
+
+		return 0;
 	}
-	log("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr());
-	return 0;
+#endif
+
+	return 1;
 }
Only in openssh-2.9p2/: auth.c~
diff -ru orig/openssh-2.9p2/auth.h openssh-2.9p2/auth.h
--- orig/openssh-2.9p2/auth.h	Fri Apr 13 00:34:35 2001
+++ openssh-2.9p2/auth.h	Thu Aug 23 02:00:32 2001
@@ -127,7 +127,7 @@
 Authctxt *authctxt_new(void);
 void	auth_log(Authctxt *authctxt, int authenticated, char *method, char *info);
 void	userauth_finish(Authctxt *authctxt, int authenticated, char *method);
-int	auth_root_allowed(char *method);
+int	auth_allowed(const Authctxt *authctxt, const char *method);
 
 int	auth2_challenge(Authctxt *authctxt, char *devs);
 
Only in openssh-2.9p2/: auth.h~
Only in openssh-2.9p2/: auth.o
diff -ru orig/openssh-2.9p2/auth1.c openssh-2.9p2/auth1.c
--- orig/openssh-2.9p2/auth1.c	Sat Mar 24 00:37:59 2001
+++ openssh-2.9p2/auth1.c	Thu Aug 23 02:00:38 2001
@@ -61,6 +61,25 @@
 }
 
 /*
+ * check to see whether the authentication method proposed
+ * is enabled - and also enforce the if-root checks
+ */
+static int
+auth1_allowed(int enabled, Authctxt *authctxt, int type)
+{
+	char *method;
+
+	method= get_authname(type);
+
+	if (!enabled) {
+		verbose("auth type %s disabled.", method);
+		return 0;
+	}
+
+	return auth_allowed(authctxt, method);
+}
+
+/*
  * read packets, try to authenticate the user and
  * return only if authentication is successful
  */
@@ -118,8 +137,8 @@
 		switch (type) {
 #ifdef AFS
 		case SSH_CMSG_HAVE_KERBEROS_TGT:
-			if (!options.kerberos_tgt_passing) {
-				verbose("Kerberos tgt passing disabled.");
+			if (!auth1_allowed(options.kerberos_tgt_passing,
+					   authctxt, type)) {
 				break;
 			} else {
 				/* Accept Kerberos tgt. */
@@ -132,8 +151,8 @@
 			continue;
 
 		case SSH_CMSG_HAVE_AFS_TOKEN:
-			if (!options.afs_token_passing || !k_hasafs()) {
-				verbose("AFS token passing disabled.");
+			if (!auth1_allowed(options.afs_token_passing && 
+					   k_hasafs(), authctxt, type)) {
 				break;
 			} else {
 				/* Accept AFS token. */
@@ -147,8 +166,8 @@
 #endif /* AFS */
 #ifdef KRB4
 		case SSH_CMSG_AUTH_KERBEROS:
-			if (!options.kerberos_authentication) {
-				verbose("Kerberos authentication disabled.");
+			if (!auth1_allowed(options.kerberos_authentication,
+					   authctxt, type)) {
 				break;
 			} else {
 				/* Try Kerberos v4 authentication. */
@@ -173,8 +192,8 @@
 #endif /* KRB4 */
 
 		case SSH_CMSG_AUTH_RHOSTS:
-			if (!options.rhosts_authentication) {
-				verbose("Rhosts authentication disabled.");
+			if (!auth1_allowed(options.rhosts_authentication,
+					   authctxt, type)) {
 				break;
 			}
 			/*
@@ -193,8 +212,8 @@
 			break;
 
 		case SSH_CMSG_AUTH_RHOSTS_RSA:
-			if (!options.rhosts_rsa_authentication) {
-				verbose("Rhosts with RSA authentication disabled.");
+			if (!auth1_allowed(options.rhosts_rsa_authentication,
+					   authctxt, type)) {
 				break;
 			}
 			/*
@@ -228,8 +247,8 @@
 			break;
 
 		case SSH_CMSG_AUTH_RSA:
-			if (!options.rsa_authentication) {
-				verbose("RSA authentication disabled.");
+			if (!auth1_allowed(options.rsa_authentication,
+					   authctxt, type)) {
 				break;
 			}
 			/* RSA authentication requested. */
@@ -241,8 +260,8 @@
 			break;
 
 		case SSH_CMSG_AUTH_PASSWORD:
-			if (!options.password_authentication) {
-				verbose("Password authentication disabled.");
+			if (!auth1_allowed(options.password_authentication,
+					   authctxt, type)) {
 				break;
 			}
 			/*
@@ -271,7 +290,8 @@
 
 		case SSH_CMSG_AUTH_TIS:
 			debug("rcvd SSH_CMSG_AUTH_TIS");
-			if (options.challenge_reponse_authentication == 1) {
+			if (auth1_allowed(options.challenge_reponse_authentication == 1,
+					  authctxt, type)) {
 				char *challenge = get_challenge(authctxt, authctxt->style);
 				if (challenge != NULL) {
 					debug("sending challenge '%s'", challenge);
@@ -285,7 +305,8 @@
 			break;
 		case SSH_CMSG_AUTH_TIS_RESPONSE:
 			debug("rcvd SSH_CMSG_AUTH_TIS_RESPONSE");
-			if (options.challenge_reponse_authentication == 1) {
+			if (auth1_allowed(options.challenge_reponse_authentication == 1,
+					  authctxt, type)) {
 				char *response = packet_get_string(&dlen);
 				debug("got response '%s'", response);
 				packet_integrity_check(plen, 4 + dlen, type);
@@ -313,6 +334,9 @@
 			fatal("INTERNAL ERROR: authenticated invalid user %s",
 			    authctxt->user);
 
+		if (authenticated && !auth1_allowed(1, authctxt, type))
+			fatal("INTERNAL ERROR: auth clause no auth1_allowed");
+
 #ifdef HAVE_CYGWIN
 		if (authenticated &&
 		    !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD,pw->pw_uid)) {
@@ -320,11 +344,6 @@
 			(int)pw->pw_uid);
 			authenticated = 0;
 		}
-#else
-		/* Special handling for root */
-		if (authenticated && authctxt->pw->pw_uid == 0 &&
-		    !auth_root_allowed(get_authname(type)))
-			authenticated = 0;
 #endif
 #ifdef USE_PAM
 		if (authenticated && !do_pam_account(pw->pw_name, client_user))
Only in openssh-2.9p2/: auth1.c~
Only in openssh-2.9p2/: auth1.o
Only in openssh-2.9p2/: auth2-chall.o
Only in openssh-2.9p2/: auth2-pam.o
diff -ru orig/openssh-2.9p2/auth2.c openssh-2.9p2/auth2.c
--- orig/openssh-2.9p2/auth2.c	Wed Apr 25 13:44:15 2001
+++ openssh-2.9p2/auth2.c	Thu Aug 23 02:00:33 2001
@@ -242,7 +242,8 @@
 	m = authmethod_lookup(method);
 	if (m != NULL) {
 		debug2("input_userauth_request: try method %s", method);
-		authenticated =	m->userauth(authctxt);
+		authenticated =	auth_allowed(authctxt, m->name)
+                             && m->userauth(authctxt);
 	}
 	userauth_finish(authctxt, authenticated, method);
 
@@ -257,11 +258,6 @@
 	if (!authctxt->valid && authenticated)
 		fatal("INTERNAL ERROR: authenticated invalid user %s",
 		    authctxt->user);
-
-	/* Special handling for root */
-	if (authenticated && authctxt->pw->pw_uid == 0 &&
-	    !auth_root_allowed(method))
-		authenticated = 0;
 
 #ifdef USE_PAM
 	if (authenticated && authctxt->user && !do_pam_account(authctxt->user,
Only in openssh-2.9p2/: auth2.c~

Message #22 received at 99168-done@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: 99168-done@bugs.debian.org

Cc: Ian Jackson <ian@davenant.greenend.org.uk>

Subject: Re: A patch for permitrootlogin no

Date: Mon, 7 Apr 2003 13:57:11 +0100

On Thu, Aug 23, 2001 at 02:11:50AM +0100, Ian Jackson wrote:
> The n-second delay is done by PAM, which provides no way to find out
> how long it can be, or to simulate it.  The problem is really that
> `PermitRootLogin no' takes effect *after* the authentication has taken
> place, rather than rejecting the attempt to authenticate.
> 
> The patch below may fix this I think, but I HAVE NOT TESTED IT AT ALL.
> It compiles :-).  Given its nature, if we like it, we should send it
> upstream ASAP.

It doesn't appear that any of us actually got around to doing this.
However, a variant of this was submitted separately upstream as bug #486
(http://bugzilla.mindrot.org/show_bug.cgi?id=486), and fixed in OpenSSH
3.6. I've verified that when "PermitRootLogin no" is set then both valid
and invalid passwords are rejected immediately; as Ian notes, PAM
provides no way to simulate the delay.

Cheers,

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]

Message #29 received at 99168-quiet@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: Matt Zimmerman <mdz@debian.org>

Cc: 191681@bugs.debian.org, 99168-quiet@bugs.debian.org, control@bugs.debian.org

Subject: Re: [raptor@mediaservice.net: Re: OpenSSH/PAM timing attack allows remote users identification]

Date: Mon, 5 May 2003 21:50:59 +0100

reopen 99168
thanks

On Mon, May 05, 2003 at 03:54:24PM -0400, Matt Zimmerman wrote:
> From bugtraq...it sounds like it is possible that the new version does
> not fix all of the problems.

Hm. This is a recurrence of bug #99168, a.k.a. upstream bug #486. I
haven't quite tracked down why yet ...

You're probably safe for stable, though, as I think 3.4p1 had that bug
to start with anyway.

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]

Message #34 received at 99168@bugs.debian.org (full text, mbox, reply):

From: Darren Tucker <dtucker@zip.com.au>

To: Klaus Ethgen <Klaus@Ethgen.de>, "Theodore Y. Ts'o" <tytso@mit.edu>, oskar@osk.mine.nu

Cc: 193546@bugs.debian.org, 192207@bugs.debian.org, 99168@bugs.debian.org

Subject: Debian bugs 99168, 192207, 193546: fixed in upstream (+patch).

Date: Wed, 06 Aug 2003 16:44:05 +1000

[Message part 1 (text/plain, inline)]

Hi.
	Regarding the following Debian OpenSSH bugs:
#99168: identifying root's password by measuring password-failure delays
#192207: ssh 3.6.1p2-1 introduces a 2-3 second delay when logging in
#193546: ssh: Strange authentication failure... 

	I've been looking at these.  They're interrelated, hence the multiple
update.

	They have all been fixed in the current development tree as part of a
cleanup of auth-passwd.c (rev 1.57, but the diff is large) and new PAM
code (auth-pam.c rev 1.58 + associated changes).

	Attached is a small patch against 3.6.1p2 which should solve all three. 
I would review it very carefully before using it, though, I may have
overlooked something.

	Basically, the issue arises because in the SSH2 protocol, the "none"
authentication method does double duty as "let me log in now if you don't
require authentication" and "otherwise tell me what authentications you
require".

	The client starts an authentication by asking the server for "none"
authentication, and the server must either allow the login at that point
(if the user has no passsword and empty passwords are permitted) or reply
with a list of allowed methods.  To determine if the "none" login should
be allowed, auth_password is called with a password of "", and if that
fails it proceeds with the rest of the authentication protocol.

	Previously, auth_password would return as soon as any of its tests
failed, so as long as the server was configured with "PermitEmptyPasswords
no" the attempt to authenticate with the empty password would fail
immediately (before asking PAM).  Unfortunately this leaked information
(eg about the state of PermitRootLogin).

	The "owl-always-auth" patch added for 3.6.1p2 changed the way
auth_password worked.  Instead of failing immediately, it set a flag on
failure but tried all the tests anyway.  Unfortunately this meant the
"none" authentication tries a PAM authentication without a password, which
fails and adds the delay and log message.  It also meant that regardless
of the PermitRootLogin setting, a PAM authentication was always attempted
for root, which returns much faster when the password is correct and thus
leaks information (ie #99168 re-occurred).

	The attached patch:
a) returns immediately for empty passwords if PermitEmptyPasswords=no.
b) makes an invalid call to auth_pam_password if PermitRootLogin=no which
will always fail.

	Note that a) will leak the PermitEmptyPasswords setting; I don't see any
way around that without imposing a delay on *all* logins.  This is
behaviour is consistent with the current development tree.

	Also note that b) will leak info on whether or not root actually has a
password.  I suspect that could be determined easily in other ways :-)

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

[openssh-debian_login.patch (text/plain, inline)]

Index: auth-passwd.c
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-passwd.c,v
retrieving revision 1.51.4.1
diff -u -r1.51.4.1 auth-passwd.c
--- auth-passwd.c	29 Apr 2003 09:12:08 -0000	1.51.4.1
+++ auth-passwd.c	6 Aug 2003 06:16:36 -0000
@@ -117,14 +117,22 @@
 	/* deny if no user. */
 	if (pw == NULL)
 		ok = 0;
+	if (*password == '\0' && options.permit_empty_passwd == 0)
+		return 0;
 #ifndef HAVE_CYGWIN
 	if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
 		ok = 0;
 #endif
-	if (*password == '\0' && options.permit_empty_passwd == 0)
-		ok = 0;
 
 #if defined(USE_PAM)
+	/*
+	 * If the user logging in is root and RootLogin=no, always attempt
+	 * an invalid root login to prevent leaking timing information
+	 */
+	if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) {
+		auth_pam_password(authctxt, "");
+		return 0;
+	}
 	return auth_pam_password(authctxt, password) && ok;
 #elif defined(HAVE_OSF_SIA)
 	if (!ok)

Message #41 received at 99168-quiet@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: Darren Tucker <dtucker@zip.com.au>, 192207@bugs.debian.org

Cc: 99168-quiet@bugs.debian.org, 193546-quiet@bugs.debian.org, control@bugs.debian.org

Subject: Re: Bug#192207: Updated patch

Date: Wed, 3 Sep 2003 01:30:59 +0100

tags 99168 pending
tags 192207 pending
tags 193546 pending
thanks

On Sat, Aug 09, 2003 at 03:47:24PM +1000, Darren Tucker wrote:
> 	Attached is an updated patch that should address a couple of issues with
> the previous one:
> 
> a) The short-cut for permitemptypassword=no is in the authentication
> negotiation.  This means that if the user actually supplies a null
> password, it will be logged.
> 
> b) In the case of permitrootlogin=no, attempt an auth with a totally bogus
> password (idea from openwall linux).
> 
> 	Again, review carefully before using it, I may have overlooked something.

I've thought about this carefully and tested all the interesting
combinations I can think of, and it seems fine. I'll upload to Debian
unstable shortly, at which point no doubt it'll break for half a dozen
people with strange setups, but that's life. ;)

Thanks!

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]

Message #46 received at 99168-close@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: 99168-close@bugs.debian.org

Subject: Bug#99168: fixed in openssh 1:3.6.1p2-6

Date: Wed, 03 Sep 2003 16:26:06 -0400

Source: openssh
Source-Version: 1:3.6.1p2-6

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:

openssh_3.6.1p2-6.diff.gz
  to pool/main/o/openssh/openssh_3.6.1p2-6.diff.gz
openssh_3.6.1p2-6.dsc
  to pool/main/o/openssh/openssh_3.6.1p2-6.dsc
ssh-askpass-gnome_3.6.1p2-6_i386.deb
  to pool/main/o/openssh/ssh-askpass-gnome_3.6.1p2-6_i386.deb
ssh_3.6.1p2-6_i386.deb
  to pool/main/o/openssh/ssh_3.6.1p2-6_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 99168@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed,  3 Sep 2003 19:14:02 +0100
Source: openssh
Binary: ssh-askpass-gnome ssh
Architecture: source i386
Version: 1:3.6.1p2-6
Distribution: unstable
Urgency: medium
Maintainer: Matthew Vernon <matthew@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 ssh        - Secure rlogin/rsh/rcp replacement (OpenSSH)
 ssh-askpass-gnome - under X, asks user for a passphrase for ssh-add
Closes: 99168 192207 193546 197576 208036
Changes: 
 openssh (1:3.6.1p2-6) unstable; urgency=medium
 .
   * Use a more CVS-friendly means of setting SSH_VERSION.
   * Update Brazilian Portuguese debconf template translation (thanks, Andre
     Luis Lopes; closes: #208036).
   * Don't run 'sshd -t' in init script if the server isn't to be run
     (closes: #197576).
   * Fix login delay, spurious auth.log entry, and PermitRootLogin
     information leakage due to PAM issues with upstream's recent security
     update (thanks, Darren Tucker; closes: #99168, #192207, #193546).
   * Policy version 3.6.1: recode this changelog to UTF-8.
Files: 
 79a152667d63253e2086fa31f78425f1 847 net standard openssh_3.6.1p2-6.dsc
 0ed10571bcc3518bd5c10fd8f6418438 80668 net standard openssh_3.6.1p2-6.diff.gz
 5ae4629042fc19ef0f5b422ddc5bd6e2 645280 net standard ssh_3.6.1p2-6_i386.deb
 9a738e3aa3c8bd9512e5166772b4b65e 42648 gnome optional ssh-askpass-gnome_3.6.1p2-6_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iD8DBQE/VjhV9t0zAhD6TNERAnPdAJwJY8w0hKP7YjqCIXX88LtblA9sggCeMSar
uMuo5E2Omu+KC+f0zFA50xc=
=Lwmi
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.