From af0faf666c5008e54dfe43684f210e3581ff1bca Mon Sep 17 00:00:00 2001 From: ikerexxe Date: Tue, 16 Jun 2020 14:32:36 +0200 Subject: pam_unix: avoid determining if user exists Taking a look at the time for the password prompt to appear it was possible to determine if a user existed in a system. Solved it by matching the runtime until the password prompt was shown by always checking the password hash for an existing and a non-existing user. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1629598 --- modules/pam_unix/passverify.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'modules/pam_unix/passverify.c') diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c index a571b4f7..7455eae6 100644 --- a/modules/pam_unix/passverify.c +++ b/modules/pam_unix/passverify.c @@ -1096,6 +1096,12 @@ helper_verify_password(const char *name, const char *p, int nullok) if (pwd == NULL || hash == NULL) { helper_log_err(LOG_NOTICE, "check pass; user unknown"); retval = PAM_USER_UNKNOWN; + } else if (p[0] == '\0' && nullok) { + if (hash[0] == '\0') { + retval = PAM_SUCCESS; + } else { + retval = PAM_AUTH_ERR; + } } else { retval = verify_pwd_hash(p, hash, nullok); } -- cgit v1.2.3