MNBSD-2011-6: pam_ssh authentication bypass with unencrypted SSH private keys

Severity: Unknown

Affected Package: pam_ssh

Summary: pam_ssh authentication bypass with unencrypted SSH private keys

Description

The OpenSSL private key decryption call used by pam_ssh ignores the passphrase argument when the key is not encrypted. If pam_ssh is enabled, an attacker can authenticate against accounts that have an unencrypted SSH private key by submitting any arbitrary passphrase, gaining unauthorized access. No CVE was assigned by FreeBSD for this advisory.

Affected Versions

pam_ssh

Recommendations

No specific recommendations provided.

References

Additional Information

Aliases:

Published: December 23, 2011
Last Modified: December 23, 2011