The pam_bsdbioapi(8) module always prompts for finger swiping before failing and proceeding to the next module, even when the user has not enrolled yet. Fix: Add the following patch (in /usr/ports/security/pam_bsdbioapi/files for example), then add -s option to the pam_bsdbioapi lines in /etc/pam.d/*: -------------------- snip -------------------- snip -------------------- Note that the "skip-unenrolled" behavior is not enabled by default because of security implications (see the new pam_bsdbioapi(8) manpage).--6OzuIqwn1MoaDsWBTrW25IhscpN7LNCrPLjgAH04ZeNowl4i Content-Type: text/plain; name="file.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="file.diff" --- src/pam_bsdbioapi/pam_bsdbioapi.8 Thu Feb 23 06:15:13 2006 +++ src/pam_bsdbioapi/pam_bsdbioapi.8.new Sun Dec 10 06:36:31 2006 @@ -36,6 +36,7 @@ .Ar pam_bsdbioapi .Ar bsp-uuid .Ar backend +.Op -s .Op -f birdb-path .Op -m message-file .Sh DESCRIPTION @@ -69,6 +70,12 @@ This option is required. .Pp .Bl -tag -width ".Fl m Ar message-file" +.It Fl s +Fail without prompting the user to swipe finger if the user has not enrolled +yet. +This is useful if only a handful of users has enrolled, but leaks whether the +given user has enrolled, to whomever tries to authenticate as the user (e.g. +an attacker outside). .It Fl f Ar birdb-path Specify an alternative path to the birdb.conf file for backend configuration. The default is /usr/local/etc/birdb.conf --- src/pam_bsdbioapi/pam_bsdbioapi.c Thu Feb 23 06:15:13 2006 +++ src/pam_bsdbioapi/pam_bsdbioapi.c.new Sun Dec 10 06:26:57 2006 @@ -215,7 +215,7 @@ int argc, const char *argv[]) { const char *user, *bsp_id, *dbid, *conf, *msgfile; - int error, pam_retval = PAM_AUTH_ERR; + int error, pam_retval = PAM_AUTH_ERR, skip_unenrolled; BioAPI_HANDLE *handle; struct birdb_rec keyrec, **recs; struct birdb_mod *bm; @@ -241,9 +241,10 @@ conf = DEFCONFPATH; msgfile = NULL; + skip_unenrolled = 0; optind = 2; - while ((opt = getopt(argc, (char **)argv, "m:f:")) != -1) { + while ((opt = getopt(argc, (char **)argv, "m:f:s")) != -1) { switch (opt) { case 'm': msgfile = argv[optind - 1]; @@ -253,6 +254,9 @@ conf = argv[optind - 1]; PAM_LOG("Got birdb configuration file: %s", conf); break; + case 's': + skip_unenrolled = 1; + break; } } @@ -271,7 +275,6 @@ PAM_LOG("Got user: %s", user); setuid(euid); - pam_info(pamh, "Initiating biometric authentication..."); error = bioapi_init(); if (error) @@ -312,7 +315,8 @@ keyrec.br_key = (char *)user; recs = birdb_backend_get(bm, bmh, &keyrec); - if (recs != NULL) { + if (recs != NULL && (!skip_unenrolled || recs[0] != NULL)) { + pam_info(pamh, "Initiating biometric authentication..."); handle = bioapi_attach_bsp(bsp_id); if (handle == NULL) { PAM_VERBOSE_ERROR("Failed to attach the selected BSP"); -------------------- snip -------------------- snip -------------------- How-To-Repeat: Enable pam_bsdbioapi(8) in /etc/pam.d/login, and try to login as a user who has not enrolled yet; the module prompts as if the user is enrolled.
State Changed From-To: open->feedback Awaiting maintainers feedback
I have no objections to the content of this patch, however I would rather see this patch merged with the upstream code base rather than having it as a separate patch in the ports tree. As I happen to be the author of pam_bsdbioapi too I'll merge the patch, however it might take a week or two as my development repository is down at the moment due to a server re-location. Fredrik Lindberg
State Changed From-To: feedback->open Maintainer approved.
Responsible Changed From-To: freebsd-ports-bugs->ehaupt I will take care of it.
ehaupt 2006-12-23 20:28:25 UTC FreeBSD ports repository Modified files: security/pam_bsdbioapi Makefile pkg-plist Added files: security/pam_bsdbioapi/files patch-src_pam_bsdbioapi_pam_bsdbioapi.8 patch-src_pam_bsdbioapi_pam_bsdbioapi.c Log: The pam_bsdbioapi(8) module always prompts for finger swiping before failing and proceeding to the next module, even when the user has not enrolled yet. This patchset adds a command line option to skip this behaviour. NOTE: This patch will go into the next upstream release. PR: 106564 Submitted by: Eugene M. Kim <freebsd.org@ab.ote.we.lv> Approved by: Fredrik Lindberg <fli@shapeshifter.se> (maintainer) Revision Changes Path 1.3 +2 -1 ports/security/pam_bsdbioapi/Makefile 1.1 +23 -0 ports/security/pam_bsdbioapi/files/patch-src_pam_bsdbioapi_pam_bsdbioapi.8 (new) 1.1 +51 -0 ports/security/pam_bsdbioapi/files/patch-src_pam_bsdbioapi_pam_bsdbioapi.c (new) 1.3 +1 -1 ports/security/pam_bsdbioapi/pkg-plist _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: open->closed Committed, thanks!