[OpenAFS] Error logging by pam_afs causes password to appear in log files
Charles Karney
ckarney@sarnoff.com
Thu, 20 Feb 2003 09:43:29 -0500
Summary:
pam_afs logs the username on failed authentication attempts in
contexts where the user may accidentally have entered his password.
Configuration
RedHat Linux 8.0
Linux 2.4.18-19
openafs-1.2.8-rh8.0.1
Graphical login via gdm, configured by
/etc/pam.d/gdm:
#%PAM-1.0
auth required /lib/security/pam_stack.so service=afs-auth
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_console.so
/etc/pam.d/afs-auth:
#%PAM-1.0
# This file is auto-generated.
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_afs.so try_first_pass ignore_root
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth required /lib/security/pam_deny.so
Description:
Problem 1.
Sometimes, when walking up to my blank monitor, I assume that my X
session is locked, when, in fact, I have logged out. I then enter my
password into the "Username" box for gdm. (My monitor is still warming
up at this point, so I don't see what's happening.)
I realize I have made a mistake when I am presented with the AFS
password box. If I type <enter> or else enter a fake password at this
point then /var/log/messages records this as either
pam_afs[1277]: AFS Won't use illegal password for user PASSWORD
or
pam_afs[2109]: AFS Authentication failed for user PASSWORD. user doesn't exist
In both cases, my password makes it into the system log files and hence
onto backup tapes, etc. This shouldn't happen. There should be some
mode of invoking pam_afs (maybe this should be the default mode) where
the error logging should merely be "user unknown".
Problem 2.
(A minor nit...) pam_afs behaves differently with a NULL password
compared to a non-NULL bad password. The first causes the login to fail
(with an alert box, which is not the standard that other modules use!),
and the second causes the system to prompt for the Unix password.
Why does AFS (klog/pam_afs) treat a NULL password specially? Why not
just treat it as a bad password. This would provide more consistent
behavior to the user.
Later:
In going over the pam_afs documentation (pam_afs.5) in the openafs 1.2.8
source tree (why isn't this included in the openafs-client rpm?), I see
that the security aspect of Problem 1 is fixed by "nowarn". So perhaps
this problems are mainly an issue of how the default install is done.
(The options I used on pam_afs are the ones suggested by the rpm
installation.) However, I would still claim that the behavior of
pam_afs after a failure without the "nowarn" option should be
(a) if the AFS user exists, log "bad password for AFS user USER"
(b) if the AFS user does not exist, log "unknown AFS user"
--
Charles Karney Email: ckarney@sarnoff.com
Sarnoff Corporation Phone: +1 609 734 2312
Princeton, NJ 08543-5300 Fax: +1 609 734 2323