<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;" dir="ltr">
<p style="margin-top:0;margin-bottom:0"></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif">Hello –<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif">We when using pam_audit_tty in Red Hat we are noticing that the passwords are being captured when using the ldapvi binary only.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif">When I run ldapvi and I’m prompted for the password the password keystrokes are recorded to the audit.log
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif">[<a href="mailto:root@caldap3" target="_blank"><span style="color: rgb(0, 102, 204); text-decoration-line: none;">root@caldap3</span></a> ~]# ldapvi -ZZ -D cn=root,dc=test,dc=lott --- Login Type
M-h for help on key bindings. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif">Filter or DN: cn=root,dc=test,dc=lott Password: *************<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif">Now I run aureport --tty on the server and you see "testpasswordentry" in the audit report.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif">61. 03/28/2017 09:39:42 4859 1100 ? 7 ldapvi "assssssssssss",<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<ba ckspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,"<span style="background:yellow;mso-highlight:yellow">testpasswordentry</span>"
,<ret><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif">I opened a case with Red Hat who gave me the response below.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family: "Courier New"; color: rgb(37, 37, 37); background-image: initial; background-">Hello Mike, Thanks for your patience. I have discussed this with our engineering team and maintainers of pam_tty_audit. Actually issue
is only with the ldapvi utility but not with the user authentications either through terminal or ssh. Generally during any password entry, ECHO mode is turned off but ICANON mode will be active in tty. However it seems that ldapvi doesn't seems to be placed
in that mode while entering the password. If ldapvi turns of ICANON and does its own keystroke processing, instead of just turning off ECHO (which can be confirmed with strace), then TTY auditing can’t detect the input as a password. This has to be corrected
with ldapvi package. I would like to convey you that ldapvi is provided from EPEL which repository which is not shipped and supported by Red Hat.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family: "Courier New"; color: rgb(37, 37, 37); background-image: initial; background-"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family: "Courier New"; color: rgb(37, 37, 37); background-image: initial; background-">Please report it to the upstream who are able to assist you better regarding this ldapvi package :<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif">Could you please patch this in the next release?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif">Regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<span style="font-size:11.0pt;font-family:"Arial",sans-serif;mso-fareast-font-family:
Calibri;mso-fareast-theme-font:minor-latin;mso-ansi-language:EN-US;mso-fareast-language:
EN-US;mso-bidi-language:AR-SA">Michael Starling<a href="https://access.redhat.com/support/cases/"><span style="color: rgb(0, 102, 204); background-image: initial; background-"><br>
</span></a></span><br>
<p></p>
</div>
</body>
</html>