[Buildroot] [Bug 12181] New: dropbear: norootlogin (-w) no longer works when PAM is enabled
bugzilla at busybox.net
bugzilla at busybox.net
Wed Sep 4 14:06:27 UTC 2019
https://bugs.busybox.net/show_bug.cgi?id=12181
Bug ID: 12181
Summary: dropbear: norootlogin (-w) no longer works when PAM is
enabled
Product: buildroot
Version: 2019.02.5
Hardware: All
OS: Linux
Status: NEW
Severity: critical
Priority: P5
Component: Other
Assignee: unassigned at buildroot.uclibc.org
Reporter: jan.dumon at septentrio.com
CC: buildroot at uclibc.org
Target Milestone: ---
This affects dropbear 2018.76 in 2019.02.5 and earlier.
The vanilla dropbear 2018.76 doesn't have this problem, it is introduced
(ironically) by the patch for CVE-2018-15599 in
https://git.busybox.net/buildroot/commit?id=4a3b0ba38fde05e8f8c3512d516d86803efa44c0
It only happens when PAM is enabled & used.
When invoked with the -w command line argument, root logins should be
disallowed, but when someone attempts to login as root, the following happens:
- login attempt for root
- password is asked
- norootlogin is set but pam is invoked anyway
- pam validates the password and an 'already authenticated flag' gets set
- login still fails (as is expected) and password is asked again
- regardless of input, root can log in because he was authenticated before.
(completely unexpected !!!)
It's still required to have a proper password but the root login should not be
allowed per the -w command line argument.
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the buildroot
mailing list