Re: Web Page for PAM security compromise

On Tue, Jul 28, 2009 at 10:38:21AM -0400, Sam Hartman wrote:
> Folks, I'm writing at the suggestion of Don and Joey.  There is a
> serious, but rare bug in pam, where a user can get into a situation
> where any password will be accepted to access their system.
> 
> We're going to display a critical debconf note if we detect this
> situation.  We'd like to point people to a webpage where they can find
> out more information.
> 
> I would appreciate help getting this web page written and finding a
> place for it.

Similar to the one used for the OpenSSL issue which used
http://www.debian.org/security/key-rollover, detailed page at
/security/pam-auth or something might be a good place for that
information.

Or link the securing-debian-howto from the released DSA ?

> I don't feel qualified to write the content; I'm hoping that the www
> team plus the people cc'd on this message can help us get that
> together.  We would like to do this with some urgency.  In the
> interest of full disclosure,this issue has been known since March, but
> Steve prepared a fix this week.  Still, the faster we can get that fix
> out to our users, the better it will be .
> 
> I think that a web page might contain pointers to:

http://wiki.debian.org/SecurityManagement and
http://www.debian.org/doc/manuals/securing-debian-howto/ mainly.

> * Why it's reasonable to assume that a system on the Internet with no 
> password will be compromised
> * Information on malicious software and botnets

There is a specific PAM chapter mentionning dictionnaries attacks at 
http://www.debian.org/doc/manuals/securing-debian-howto/ch4.fr.html#s4.10

> * Information on trying to do security recovery of a Debian system

http://www.debian.org/doc/manuals/securing-debian-howto/ch-after-compromise.fr.html

> * Information on resources for commercial and free help in recovering

You mean recovering from a previous backup or recovering from the
current "potentially compromised status" without any backup ?
 
> Here's a draft of a debconf note I've put together ; Steve has not reviewed, 
> and it may change internally.
> 
> Template: libpam-runtime/you-had-no-auth
> Type: note
> _Description: Your system allows access with no password!
>  When you configured PAM on this system, you elected to disable all
>  PAM profiles.  As a result, any password will be accepted to gain
>  access to the system; even incorrect passwords will gain
>  access. Especially if this system can be accessed from the Internet,
>  it is likely that malicious software has been installed and the
>  system compromised.  Unless you are familiar with recovering from
>  security failures, viruses, and malicious software you should
>  re-install this system from scratch or obtain the services of a
>  skilled system administrator.  For more information see
>  http://www.debian.org/xxx 
>  .
>  The PAM packaging has been improved and the automated PAM
>  configuration tool no longer permits this configuration.  We
>  apologize that previous versions of the PAM configuration did not
>  detect and prevent this situation.

Regards.

-- 
Simon Paillard

signature.asc
Description: Digital signature