[ldapvi] Clear password shown in audit logs when using ldapvi

Michael mlstarling31 at hotmail.com
Fri Dec 8 23:58:23 CET 2017 

Hello –

We when using pam_audit_tty in Red Hat we are noticing that the passwords are being captured when using the ldapvi binary only.

When I run ldapvi and I’m prompted for the password the password keystrokes are recorded to the audit.log

[root at caldap3<mailto:root at caldap3> ~]# ldapvi -ZZ -D cn=root,dc=test,dc=lott --- Login Type M-h for help on key bindings.

Filter or DN: cn=root,dc=test,dc=lott Password: *************

Now I run aureport --tty on the server and you see "testpasswordentry" in the audit report.


61. 03/28/2017 09:39:42 4859 1100 ? 7 ldapvi "assssssssssss",<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<ba ckspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,"testpasswordentry" ,<ret>


I opened a case with Red Hat who gave me the response below.

Hello Mike, Thanks for your patience. I have discussed this with our engineering team and maintainers of pam_tty_audit. Actually issue is only with the ldapvi utility but not with the user authentications either through terminal or ssh. Generally during any password entry, ECHO mode is turned off but ICANON mode will be active in tty. However it seems that ldapvi doesn't seems to be placed in that mode while entering the password. If ldapvi turns of ICANON and does its own keystroke processing, instead of just turning off ECHO (which can be confirmed with strace), then TTY auditing can’t detect the input as a password. This has to be corrected with ldapvi package. I would like to convey you that ldapvi is provided from EPEL which repository which is not shipped and supported by Red Hat.

Please report it to the upstream who are able to assist you better regarding this ldapvi package :



Could you please patch this in the next release?



Regards,

Michael Starling
<https://access.redhat.com/support/cases/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.askja.de/pipermail/ldapvi/attachments/20171208/c2b463a5/attachment.html>

More information about the ldapvi mailing list