[Bug 340836] [NEW] action=update broken
Brian May
brian at microcomaustralia.com.au
Wed Mar 11 00:42:14 UTC 2009
Public bug reported:
Binary package hint: libpam-ccreds
The suggested configuration, at
<https://help.ubuntu.com/community/PamCcredsHowto> says to use if ldap
authentication failed, e.g. bad password, use action=update which
deletes the cached credentials.
This makes sense, because if the user entered an invalid password and
the LDAP server is contactable, the cached credentials may be
invalid[1].
However my tests reveal action=update is a NOP action.
This seems to come from the following line within cc_lib.cc
if (memcmp(data, data_stored, datalength) == 0 || !credentials) {
... do delete ...
}
I suspect the memcmp checks the password matches the cached value (no it
doesn't, the pam configuration makes sure of this). credentials set to
the string I am using to log in (I assume this is correct?). As such,
the if test fails, and the deletion is skipped.
This behaviour, if somehow correct, is not documented anywhere I can
see.
(note I am using the pam configuration from another bug report
<https://bugs.launchpad.net/ubuntu/+source/libpam-
ccreds/+bug/294977/comments/9>)
Notes
[1] of course it could also be used as a DOS attack - e.g. connect
somebodies computer up to the network, type an invalid password, that
user won't be able to log in any more without using the network the
first time. Not sure what to do about this.
** Affects: libpam-ccreds (Ubuntu)
Importance: Undecided
Status: New
--
action=update broken
https://bugs.launchpad.net/bugs/340836
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
More information about the universe-bugs
mailing list