Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Video attached - I can basically see the password after "incorrect password". #139

Open
gabriele2000 opened this issue Mar 20, 2022 · 4 comments
Open

Video attached - I can basically see the password after "incorrect password". #139

gabriele2000 opened this issue Mar 20, 2022 · 4 comments

Comments

@gabriele2000
Copy link

To trigger the bug you have to "fail" then quickly type your password... the system will take some seconds to ask the password again, while it's "processing" you'll be able to see your password.
The video attached is inside the .zip

Bug.zip
@millert
Copy link
Collaborator

millert commented Mar 24, 2022

If you type your password before the password prompt is displayed, echo will still be enabled on the terminal and what you type will be visible. The password is read in a loop so echo is disabled/enabled each time. This wasn't a big problem until PAM added a delay between incorrect password entries. Changing things such that echo is disabled a single time is difficult due to how the PAM conversation API works. Other programs that give the user multiple tries to enter a password, such as ssh, behave similarly.

@gabriele2000
Copy link
Author

If you type your password before the password prompt is displayed, echo will still be enabled on the terminal and what you type will be visible. The password is read in a loop so echo is disabled/enabled each time. This wasn't a big problem until PAM added a delay between incorrect password entries. Changing things such that echo is disabled a single time is difficult due to how the PAM conversation API works. Other programs that give the user multiple tries to enter a password, such as ssh, behave similarly.

Why isn't this a HUGE security concern? Like, the password is basically visible in this time span.
Why did PAM add this delay though?

@millert
Copy link
Collaborator

millert commented Mar 24, 2022

My understanding is that the delay is to make it more expensive to brute-force password guessing. The password is only visible if you type it before the password prompt is displayed again.

@correabuscar
Copy link

I've had my delay set to 0.5sec via /etc/pam.d/system-auth
ie.

auth    optional  pam_faildelay.so delay=500000
...
auth    requisite pam_faillock.so preauth deny=0 nodelay
auth    [success=1 default=ignore]  pam_unix.so   try_first_pass nodelay
auth    [default=die] pam_faillock.so authfail nodelay
...

on Gentoo.

but it used to be a minimum of 2 seconds before, thankfully, this PR got merged 2 years ago https://github.com/linux-pam/linux-pam/pull/296/files#diff-2e96e9a921efffe0106677739e14d3ffe27af0fb7e244bf869866ddad6359023L657

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@millert @gabriele2000 @correabuscar