[Buildroot] [Bug 12181] New: dropbear: norootlogin (-w) no longer works when PAM is enabled

[Buildroot] [Bug 12181] New: dropbear: norootlogin (-w) no longer works when PAM is enabled

[bugzilla at busybox.net]

https://bugs.busybox.net/show_bug.cgi?id=12181

            Bug ID: 12181
           Summary: dropbear: norootlogin (-w) no longer works when PAM is
                    enabled
           Product: buildroot
           Version: 2019.02.5
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: critical
          Priority: P5
         Component: Other
          Assignee: unassigned at buildroot.uclibc.org
          Reporter: jan.dumon at septentrio.com
                CC: buildroot at uclibc.org
  Target Milestone: ---

This affects dropbear 2018.76 in 2019.02.5 and earlier.

The vanilla dropbear 2018.76 doesn't have this problem, it is introduced
(ironically) by the patch for CVE-2018-15599 in
https://git.busybox.net/buildroot/commit?id=4a3b0ba38fde05e8f8c3512d516d86803efa44c0

It only happens when PAM is enabled & used.

When invoked with the -w command line argument, root logins should be
disallowed, but when someone attempts to login as root, the following happens:

- login attempt for root
- password is asked
- norootlogin is set but pam is invoked anyway
- pam validates the password and an 'already authenticated flag' gets set
- login still fails (as is expected) and password is asked again
- regardless of input, root can log in because he was authenticated before.
  (completely unexpected !!!)

It's still required to have a proper password but the root login should not be
allowed per the -w command line argument.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Buildroot] [Bug 12181] dropbear: norootlogin (-w) no longer works when PAM is enabled

[bugzilla at busybox.net]

https://bugs.busybox.net/show_bug.cgi?id=12181

--- Comment #1 from Jan Dumon <jan.dumon@septentrio.com> ---
2019.08 is not affected as it uses a more recent dropbear (2019.78) and no
longer has the CVE patch.
This bug is only applicable to the LTS (2019.02.xx)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Buildroot] [Bug 12181] dropbear: norootlogin (-w) no longer works when PAM is enabled

[bugzilla at busybox.net]

https://bugs.busybox.net/show_bug.cgi?id=12181

Peter Korsgaard <jacmet@uclibc.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Buildroot] [Bug 12181] dropbear: norootlogin (-w) no longer works when PAM is enabled

[bugzilla at busybox.net]

https://bugs.busybox.net/show_bug.cgi?id=12181

--- Comment #2 from Peter Korsgaard <jacmet@uclibc.org> ---
(In reply to Jan Dumon from comment #1)
So that presumably means that it has gotten fixed upstream. Looking at the git
history:

git shortlog DROPBEAR_2018.76..DROPBEAR_2019.78 -- svr-authpam.c
Matt Johnston (1):
      Wait to fail invalid usernames

vincentto13 (1):
      Fix for issue successfull login of disabled user (#78)

Presumably this is fixed by the 2nd patch. Can you try applying this patch to
the 2019.02.x version and test:

commit a0aa2749813331134452f80bb8a808bdc871ba41
Author: vincentto13 <33652988+vincentto13@users.noreply.github.com>
Date:   Wed Mar 20 15:03:40 2019 +0100

This commit introduces fix for scenario:
1. Root login disabled on dropbear
2. PAM authentication model enabled

While login as root user, after prompt for password
user is being notified about login failrue, but
after second attempt of prompt for password within
same session, login becames succesfull.

Signed-off-by: Pawel Rapkiewicz <pawel.rapkiewicz@gmail.com>
---
 svr-authpam.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/svr-authpam.c b/svr-authpam.c
index d201bc9..e236db4 100644
--- a/svr-authpam.c
+++ b/svr-authpam.c
@@ -275,6 +275,7 @@ void svr_auth_pam(int valid_user) {
                /* PAM auth succeeded but the username isn't allowed in for
another reason
                (checkusername() failed) */
                send_msg_userauth_failure(0, 1);
+               goto cleanup;
        }

        /* successful authentication */

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Buildroot] [Bug 12181] dropbear: norootlogin (-w) no longer works when PAM is enabled

[bugzilla at busybox.net]

https://bugs.busybox.net/show_bug.cgi?id=12181

--- Comment #3 from Jan Dumon <jan.dumon@septentrio.com> ---
(In reply to Peter Korsgaard from comment #2)
> Presumably this is fixed by the 2nd patch. Can you try applying this patch to
> the 2019.02.x version and test:

Tried it and it works, no more root logins with -w.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Buildroot] [Bug 12181] dropbear: norootlogin (-w) no longer works when PAM is enabled

[bugzilla at busybox.net]

https://bugs.busybox.net/show_bug.cgi?id=12181

Peter Korsgaard <jacmet@uclibc.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|ASSIGNED                    |RESOLVED

--- Comment #4 from Peter Korsgaard <jacmet@uclibc.org> ---
Fixed by
https://git.buildroot.org/buildroot/commit/?id=ae81527917e74b9751df4e7bfb7a0b2688362eac,
thanks

-- 
You are receiving this mail because:
You are on the CC list for the bug.