Menu
▾
▴
[Opensc-commits] [OpenSC/pam_pkcs11] 2ecba6: Fixed possible authentication bypass: Don't return...
|
From: Paul W. <no...@gi...> - 2025-02-06 11:39:43
|
Branch: refs/heads/master Home: https://github.com/OpenSC/pam_pkcs11 Commit: 2ecba68d404c3112546a9e802e3776b9f6c50a6a https://github.com/OpenSC/pam_pkcs11/commit/2ecba68d404c3112546a9e802e3776b9f6c50a6a Author: Frank Morgner <fra...@gm...> Date: 2024-12-06 (Fri, 06 Dec 2024) Changed paths: M src/pam_pkcs11/pam_pkcs11.c Log Message: ----------- Fixed possible authentication bypass: Don't return PAM_IGNORE Starting with bac6cf8e0b242e508e8b715e7f78d52f1227840a (released with pam_pkcs11-0.6.12), return codes defaulted to PAM_IGNORE in most cases where authentication was not possible. This change has not been anticipated in PAM configurations and may lead to authentication bypasses. If pam_pkcs11 was configured as the only module which could provide authentication and would silently fail with PAM_IGNORE, then this return code may be transformed to PAM_SUCCESS by subsequent PAM modules that don't actually perform authentication. This change avoids this situation by *not* returning PAM_IGNORE by default as done in 0.6.11 and before. If pam_pkcs11 is the only module providing authentication in the PAM stack, then the following PAM configuration could be used to avoid this situation as well: auth [success=ok default=bad] pam_pkcs11.so wait_for_card card_only In the configuration above, PAM_IGNORE will lead to an authentication failure even for an unpatched pam_pkcs11-0.6.12 (note the missing `ignore=ignore`). Thanks to Matthias Gerstner (@mgerstner) and the SUSE Linux team for reporting this problem providing analysis and the workaround configuration of a possibly vulnerable PAM stack. Commit: e87fc461655e0ca9c16f25348dff0616834c1507 https://github.com/OpenSC/pam_pkcs11/commit/e87fc461655e0ca9c16f25348dff0616834c1507 Author: Paul Wolneykien <ma...@al...> Date: 2024-12-10 (Tue, 10 Dec 2024) Changed paths: M etc/pam.d_login.example.in Log Message: ----------- Move pam_securetty.so upward in the example PAM config According to its documentation pam_securetty.so should be used before sufficient modules (as it returns PAM_SUCCESS when all conditions are met). Commit: 87e18ccf60559e195de99c763343a984e5d01e92 https://github.com/OpenSC/pam_pkcs11/commit/87e18ccf60559e195de99c763343a984e5d01e92 Author: Paul Wolneykien <ma...@al...> Date: 2024-12-10 (Tue, 10 Dec 2024) Changed paths: M etc/pam_pkcs11.conf.example.in M src/pam_pkcs11/pam_pkcs11.c Log Message: ----------- Restoring the original card_only / wait_for_card behavior For historical reasons card_only means: if we are using a screen saver, and we didn't log in using a smart card drop to the next pam module (PAM_IGNORE is returned). wait_for_card means: 1) nothing if card_only isn't set; 2) if logged in, block in pam conversation until the token used for login is inserted; 3) if not logged in, block until a token that could be used for logging in is inserted. Right now, logged in means PKC11_LOGIN_TOKEN_NAME is set, but we could something else later (like set some per-user state in a PAM session module keyed off UID). Commit: ba53bab0da6564a3f7619147e783a0e5cbb0d2a2 https://github.com/OpenSC/pam_pkcs11/commit/ba53bab0da6564a3f7619147e783a0e5cbb0d2a2 Author: Andrey Cherepanov <ca...@al...> Date: 2025-01-15 (Wed, 15 Jan 2025) Changed paths: M po/ru.po Log Message: ----------- Complete Russian translation of pam_pkcs11 Thanks Max Kosmach <ma...@el...> for help Commit: a19e0f988986dc13cfeaba8bc408d35fc9d24dca https://github.com/OpenSC/pam_pkcs11/commit/a19e0f988986dc13cfeaba8bc408d35fc9d24dca Author: Alexey I. Froloff <ra...@al...> Date: 2025-01-15 (Wed, 15 Jan 2025) Changed paths: M po/ru.po Log Message: ----------- Update Russian translations. Commit: 33d13d4936440497c12812eae97cbc6c2ce010f2 https://github.com/OpenSC/pam_pkcs11/commit/33d13d4936440497c12812eae97cbc6c2ce010f2 Author: Paul Wolneykien <ma...@al...> Date: 2025-01-15 (Wed, 15 Jan 2025) Changed paths: M etc/Makefile.am A etc/pkcs11-eventmgr.service Log Message: ----------- Add pkcs11-eventmgr systemd service unit Commit: b665b287ff955bbbd9539252ff9f9e2754c3fb48 https://github.com/OpenSC/pam_pkcs11/commit/b665b287ff955bbbd9539252ff9f9e2754c3fb48 Author: Frank Morgner <fra...@gm...> Date: 2025-01-17 (Fri, 17 Jan 2025) Changed paths: M src/common/cert_vfy.h M src/pam_pkcs11/pam_config.c M src/pam_pkcs11/pam_pkcs11.c Log Message: ----------- fixed possible authentication bypass: Use signatures to verify authentication by default If cert_policy is set to none (the default value), then pam_pkcs11 will only check if the user is capable of logging into the token. An attacker may create a different token with the user's public data (e.g. the user's certificate) and a PIN known to the attacker. If no signature with the private key is required, then the attacker may now login as user with that created token. This change, by default, uses the private key to crate a signature. A new policy, `no_signature` is introduced if the module should really *not* validate the key's signature Commit: fea15692fd1c988ca6d19a8b1644e6b814b9f5ee https://github.com/OpenSC/pam_pkcs11/commit/fea15692fd1c988ca6d19a8b1644e6b814b9f5ee Author: Paul Wolneykien <ma...@al...> Date: 2025-01-19 (Sun, 19 Jan 2025) Changed paths: M ChangeLog Log Message: ----------- Updated the changelog for the next version Commit: 834ef53bf2ede80cc3769ba6c2722a483710b1c9 https://github.com/OpenSC/pam_pkcs11/commit/834ef53bf2ede80cc3769ba6c2722a483710b1c9 Author: Paul Wolneykien <ma...@al...> Date: 2025-01-19 (Sun, 19 Jan 2025) Changed paths: M po/ru.po Log Message: ----------- Merge branch 'newpatch/ru' into next Commit: 45f1cba2d7caec8ef8d44d8bc5bf2c3aaed871fa https://github.com/OpenSC/pam_pkcs11/commit/45f1cba2d7caec8ef8d44d8bc5bf2c3aaed871fa Author: Paul Wolneykien <ma...@al...> Date: 2025-01-19 (Sun, 19 Jan 2025) Changed paths: M etc/Makefile.am A etc/pkcs11-eventmgr.service Log Message: ----------- Merge branch 'newpatch/systemd' into next Commit: 3ff317fb80f3ad0dc06425badf6cde6c92c3c249 https://github.com/OpenSC/pam_pkcs11/commit/3ff317fb80f3ad0dc06425badf6cde6c92c3c249 Author: Paul Wolneykien <ma...@al...> Date: 2025-01-19 (Sun, 19 Jan 2025) Changed paths: M ChangeLog Log Message: ----------- Update the changelog for the next version with two more entries Commit: c643c88637281e3ec1cf5daf114f14358b3eb207 https://github.com/OpenSC/pam_pkcs11/commit/c643c88637281e3ec1cf5daf114f14358b3eb207 Author: Paul Wolneykien <ma...@al...> Date: 2025-01-19 (Sun, 19 Jan 2025) Changed paths: M pam_pkcs11.spec Log Message: ----------- Include pkcs11-eventmgr.service into the RPM Commit: 82a0f8b89ca1b40d1dac6266d1d079a2a3490090 https://github.com/OpenSC/pam_pkcs11/commit/82a0f8b89ca1b40d1dac6266d1d079a2a3490090 Author: Paul Wolneykien <ma...@al...> Date: 2025-02-04 (Tue, 04 Feb 2025) Changed paths: M etc/pam_pkcs11.conf.example.in Log Message: ----------- Fixed @libdir@ substantiator in "opensc" module definition Commit: 60f146f551a4a80a63ba26c7caed94540886594b https://github.com/OpenSC/pam_pkcs11/commit/60f146f551a4a80a63ba26c7caed94540886594b Author: Paul Wolneykien <ma...@al...> Date: 2025-02-04 (Tue, 04 Feb 2025) Changed paths: M src/pam_pkcs11/pam_pkcs11.c Log Message: ----------- Fix: More changes to make slot_num = 0 by default (see 6866efd) Commit: 66aeb46bddcf9c3b9c44df4d566d342cbcab58a4 https://github.com/OpenSC/pam_pkcs11/commit/66aeb46bddcf9c3b9c44df4d566d342cbcab58a4 Author: Paul Wolneykien <ma...@al...> Date: 2025-02-04 (Tue, 04 Feb 2025) Changed paths: M etc/pam_pkcs11.conf.example.in Log Message: ----------- Fix: Make "opensc" module configuration to use the currently default slot_num = 0 Commit: d9530167966a77115db6e885d459382a2e52ee9e https://github.com/OpenSC/pam_pkcs11/commit/d9530167966a77115db6e885d459382a2e52ee9e Author: Paul Wolneykien <ma...@al...> Date: 2025-02-04 (Tue, 04 Feb 2025) Changed paths: M etc/pam_pkcs11.conf.example.in M src/pam_pkcs11/pam_config.c Log Message: ----------- Update configuration files for the CVE-2025-24032 fix Added a comment on the "no_signature" value. Also, use "signature" instead of "none". Added a note, that "none" doesn't mean "no_signature". Commit: 470263258d1ac59c5eade439c4d9caba0097e6e6 https://github.com/OpenSC/pam_pkcs11/commit/470263258d1ac59c5eade439c4d9caba0097e6e6 Author: Paul Wolneykien <ma...@al...> Date: 2025-02-04 (Tue, 04 Feb 2025) Changed paths: M ChangeLog M NEWS Log Message: ----------- Updated ChangeLog and NEWS Commit: b8dbe6370d36a6a11a466d5f0ee285804103e030 https://github.com/OpenSC/pam_pkcs11/commit/b8dbe6370d36a6a11a466d5f0ee285804103e030 Author: Paul Wolneykien <ma...@al...> Date: 2025-02-04 (Tue, 04 Feb 2025) Changed paths: M configure.ac M pam_pkcs11.spec Log Message: ----------- Version 0.6.13 Compare: https://github.com/OpenSC/pam_pkcs11/compare/b41f250f4f4b...b8dbe6370d36 To unsubscribe from these emails, change your notification settings at https://github.com/OpenSC/pam_pkcs11/settings/notifications |
