[Secure-testing-team] Bug#864187: libpam-google-authenticator: Security issue when using a common configuration scheme

[tmolitor]

Package: libpam-google-authenticator
Version: 20160607-2+b1
Severity: grave
Tags: security patch
Justification: user security hole

When configuring this pam module to add two-factor authentification to your ssh daemon (for example)
every ssh enabled user has to be configured for google-authenticator.
If you want to configure google-authenticator only for some users, not
all, various howtos available on the internet suggest to use the "nullok" argument in the pam config.

But this opens a security hole for all users not configured to use the
google-authenticator, as these users can access the ssh server without
supplying any credentials at all.

There is essentially no way to use pam to ask for the user's password,
if the authenticator is not configured for this user, and to only ask
for the otp code if it is configured for the user.

See also https://github.com/google/google-authenticator-libpam/issues/55
for a more complete description of the issue
(especially this comment: https://github.com/google/google-authenticator-libpam/issues/55#issuecomment-275943553 ).

See commit https://github.com/google/google-authenticator-libpam/commit/4f7d3b13d1850108be91b63de2aec22538d8be6e
for a patch.

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libpam-google-authenticator depends on:
ii  libc6         2.24-11
ii  libpam0g      1.1.8-3.6
ii  libqrencode3  3.4.4-1+b2

libpam-google-authenticator recommends no packages.

libpam-google-authenticator suggests no packages.

-- no debconf information