Linux-PAM pam_unix/unix_chkpwd is fail-open

[Solar Designer <solar () openwall com>]

Hi,

Just off Twitter, but relevant to this list:

<kragen> http://www.tedunangst.com/flak/post/thoughts-on-style-the-TLS-and-errors thoughts on #gotofail and how it's 
too easy for TLS software to "fail open".

<@solardiz> @kragen @tedunangst Re: BSD auth not relying on exit code, it's relevant that Linux-PAM's 
pam_unix/unix_chkpwd does: 
https://git.fedorahosted.org/cgit/linux-pam.git/tree/modules/pam_unix/support.c?id=b0ec5d1e472a0cd74972bfe9575dcf6a3d0cad1c#n634

<@solardiz> @kragen @tedunangst We avoided this in our pam_tcb/tcb_chkpwd since its initial version in 2002: 
http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/tcb/tcb/pam_tcb/support.c?annotate=1.13 lines 441-451

TCB_MAGIC is 0x0a00ff7fUL

This might not be viewed as a vulnerability in pam_unix/unix_chkpwd, but
an authentication service being fail-open is against best practices.

The issue is mitigated by the fact that unix_chkpwd is only used to
check the user's own password, when unlocking an X desktop or GNU screen
(when it's patched to use PAM).  Another "mitigation" is that X desktop
locking is generally fail-open anyway. ;-(

Someone might want to patch this issue in Linux-PAM.

Alexander