oss-sec mailing list archives

Re: pam-u2f: problematic PAM_IGNORE return values in pam_sm_authenticate() (CVE-2025-23013)

From: Jacob Bachmeyer <jcb62281 () gmail com>
Date: Wed, 15 Jan 2025 23:58:00 -0600

On 1/15/25 06:03, Matthias Gerstner wrote:

There exist utility modules that don't
actually authenticate but perform helper functions or enforce policy. An
example is the pam_faillock [8] module, which can be added to the
`auth` management group to record failed authentication attempts and
lock the account for a certain time if too many failed attempts occur.
This module will return `PAM_SUCCESS` when running in "preauth" mode and
if the maximum number of failed attempts has not been reached yet. In
such a case `PAM_SUCCESS` would become the overall authentication result
when pam-u2f returns `PAM_IGNORE`.

This looks to me like a logic error in PAM. Why are utility modulesthat do not actually perform authentication returning PAM_SUCCESS(indicating successful authentication(!)) instead of PAM_IGNORE or someother "neutral" code?

Is this a widespread misconfiguration? Is there a keyword that causesPAM to treat failure as failure but ignore PAM_SUCCESS that should beused with those utility modules?



-- Jacob

Current thread:

pam-u2f: problematic PAM_IGNORE return values in pam_sm_authenticate() (CVE-2025-23013) Matthias Gerstner (Jan 15)
- Re: pam-u2f: problematic PAM_IGNORE return values in pam_sm_authenticate() (CVE-2025-23013) Jacob Bachmeyer (Jan 15)
  - Re: pam-u2f: problematic PAM_IGNORE return values in pam_sm_authenticate() (CVE-2025-23013) Matthias Gerstner (Jan 16)
    - Re: pam-u2f: problematic PAM_IGNORE return values in pam_sm_authenticate() (CVE-2025-23013) Steffen Nurpmeso (Jan 16)
    - Re: Re: pam-u2f: problematic PAM_IGNORE return values in pam_sm_authenticate() (CVE-2025-23013) Russ Allbery (Jan 16)