Bug#864187: marked as done (libpam-google-authenticator: Security issue when using a common configuration scheme)

[Debian Bug Tracking System]

Your message dated Sun, 02 Jul 2017 10:34:23 +0000
with message-id <e1drcct-000ipu...@fasolo.debian.org>
and subject line Bug#864187: fixed in google-authenticator 20170702-1
has caused the Debian Bug report #864187,
regarding libpam-google-authenticator: Security issue when using a common 
configuration scheme
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
864187: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864187
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libpam-google-authenticator
Version: 20160607-2+b1
Severity: grave
Tags: security patch
Justification: user security hole

When configuring this pam module to add two-factor authentification to your ssh 
daemon (for example)
every ssh enabled user has to be configured for google-authenticator.
If you want to configure google-authenticator only for some users, not
all, various howtos available on the internet suggest to use the "nullok" 
argument in the pam config.

But this opens a security hole for all users not configured to use the
google-authenticator, as these users can access the ssh server without
supplying any credentials at all.

There is essentially no way to use pam to ask for the user's password,
if the authenticator is not configured for this user, and to only ask
for the otp code if it is configured for the user.

See also https://github.com/google/google-authenticator-libpam/issues/55
for a more complete description of the issue
(especially this comment: 
https://github.com/google/google-authenticator-libpam/issues/55#issuecomment-275943553
 ).

See commit 
https://github.com/google/google-authenticator-libpam/commit/4f7d3b13d1850108be91b63de2aec22538d8be6e
for a patch.

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libpam-google-authenticator depends on:
ii  libc6         2.24-11
ii  libpam0g      1.1.8-3.6
ii  libqrencode3  3.4.4-1+b2

libpam-google-authenticator recommends no packages.

libpam-google-authenticator suggests no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: google-authenticator
Source-Version: 20170702-1

We believe that the bug you reported is fixed in the latest version of
google-authenticator, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 864...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Janos Lenart <o...@debian.org> (supplier of updated google-authenticator 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 02 Jul 2017 11:02:29 +0100
Source: google-authenticator
Binary: libpam-google-authenticator
Architecture: source amd64
Version: 20170702-1
Distribution: unstable
Urgency: medium
Maintainer: Janos Lenart <o...@debian.org>
Changed-By: Janos Lenart <o...@debian.org>
Description:
 libpam-google-authenticator - Two-step verification
Closes: 864187
Changes:
 google-authenticator (20170702-1) unstable; urgency=medium
 .
   * Upstream update (00065df) (Closes: #864187).
Checksums-Sha1:
 a1636e3f431c4ec4e98eb262e62958c160749370 1570 
google-authenticator_20170702-1.dsc
 676daeda82925696397da93e856995f39e3bd569 54076 
google-authenticator_20170702.orig.tar.gz
 b25a6d2265a3f6721bfe364d3a29c25a9b270b75 3956 
google-authenticator_20170702-1.debian.tar.xz
 b35030ab4ed90f11a4f89b7d367bc6c9e3e35ddd 6454 
google-authenticator_20170702-1_amd64.buildinfo
 2f0db7f28392f282346f9eb2695398743483c5ca 60188 
libpam-google-authenticator-dbgsym_20170702-1_amd64.deb
 57591b5dcda3877c3ddf2d2d5e2a342e7cf3539c 32742 
libpam-google-authenticator_20170702-1_amd64.deb
Checksums-Sha256:
 b23ae664c3e31b222c89f4712c4e212c4d5dc56b85c8ae989f6d6707e414b098 1570 
google-authenticator_20170702-1.dsc
 bc813dd4b280d9b38acaeb4d54ca54c224c918f28da13343a0ff4eda9fa75fce 54076 
google-authenticator_20170702.orig.tar.gz
 afa75ae4bdd82965b2043e902b1f4e36c3220db6852109e29c93757613b0aaeb 3956 
google-authenticator_20170702-1.debian.tar.xz
 dc696d8a004a18380621e50ac9b7a3d25363fe2e189df6d066e1ac1e812d29f2 6454 
google-authenticator_20170702-1_amd64.buildinfo
 52ed464dd50ffd55de4d91d88e08244e9e18d8f3757a0dbb7b31da39c65575cc 60188 
libpam-google-authenticator-dbgsym_20170702-1_amd64.deb
 b613bec7adcbcf9274c9e3726833ade701d8c02b232a51711e72bc8f1bd35ffd 32742 
libpam-google-authenticator_20170702-1_amd64.deb
Files:
 147d2fd3d3a637718661c2f96fcd218a 1570 admin optional 
google-authenticator_20170702-1.dsc
 d9fa30f5a9af6b4d44c158899263651d 54076 admin optional 
google-authenticator_20170702.orig.tar.gz
 ca1301b1381c9c1ac291fddeeca042e8 3956 admin optional 
google-authenticator_20170702-1.debian.tar.xz
 8175a984d1bf8fa97a529b87959674d5 6454 admin optional 
google-authenticator_20170702-1_amd64.buildinfo
 261b537081d716c933650d20ddbec8e3 60188 debug extra 
libpam-google-authenticator-dbgsym_20170702-1_amd64.deb
 64bbffe2dce558b8e0fda2bb8ac4c61a 32742 admin optional 
libpam-google-authenticator_20170702-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQFEBAEBCAAuFiEER8wRF8gFmDcPrXi0JHmvJU99vGUFAllYx6YQHG9jc2lAZGVi
aWFuLm9yZwAKCRAkea8lT328ZZrUB/kBr2BisuGnqCQJbYuhtIqWxRhwrxpwH60z
T6oveomk5yyzsOv/7Kne7MNyQLMNogRcJFtVS9MKSRyR+BQt/9w8kQgjuf9+iTa6
+dXPosofFECmb3CEimUU0FUHhVsM00TDlvIkVXBaZa5M6IpUOotlCAz0lWQj0v6a
tZbssCHp9HMq0n67klKMxJN2P1nqGEa5XXHLg3mwI2AaPR6k33eab/pL5JtDhX2e
38HDKJDvZ/rvpfHy8m3tFb6dXp+SdTxeEzkiXNYBSt0RCczTkh6pVN4X+U7dJqCi
3Sz50+fn3tkGIg+DE2gsChq7Ije/h9Uwhp8ihewVZae1in8tFI0x
=BlRc
-----END PGP SIGNATURE-----

--- End Message ---