Package: libpam-google-authenticator Version: 20160607-2+b1 Severity: grave Tags: security patch Justification: user security hole
When configuring this pam module to add two-factor authentification to your ssh daemon (for example) every ssh enabled user has to be configured for google-authenticator. If you want to configure google-authenticator only for some users, not all, various howtos available on the internet suggest to use the "nullok" argument in the pam config. But this opens a security hole for all users not configured to use the google-authenticator, as these users can access the ssh server without supplying any credentials at all. There is essentially no way to use pam to ask for the user's password, if the authenticator is not configured for this user, and to only ask for the otp code if it is configured for the user. See also https://github.com/google/google-authenticator-libpam/issues/55 for a more complete description of the issue (especially this comment: https://github.com/google/google-authenticator-libpam/issues/55#issuecomment-275943553 ). See commit https://github.com/google/google-authenticator-libpam/commit/4f7d3b13d1850108be91b63de2aec22538d8be6e for a patch. -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libpam-google-authenticator depends on: ii libc6 2.24-11 ii libpam0g 1.1.8-3.6 ii libqrencode3 3.4.4-1+b2 libpam-google-authenticator recommends no packages. libpam-google-authenticator suggests no packages. -- no debconf information
