
Pam-ussh may be tricked into using another logged in user's ssh-agent - zdw
https://hackerone.com/reports/204802
======
sneak
The bounty amount seems exceptionally low in light of the experience of the
reporter, the security budget of the reportee, and the severity of the bug.

It seems to me another zero on the end would be appropriate.

~~~
lima
Not to mention his extremely well founded comments on their patch.

High level consulting basically.

~~~
peterwwillis
Fifteen thousand dollars to report a bug in a PAM module that you need a local
account to exploit? That is excessive. I don't think a professional would get
paid that much for an audit of the project (and they didn't hire one, this
just one bug report)

~~~
eric_the_read
The actual bounty was $1,500, not $15,000:
[https://hackerone.com/reports/204802#activity-1513764](https://hackerone.com/reports/204802#activity-1513764)

~~~
peterwwillis
Yes. The parent-parent said "It seems to me another zero on the end would be
appropriate. "

~~~
eric_the_read
Perhaps one day I'll learn to read. Sorry 'bout that.

------
russell_h
Funny, one of our engineers at ScaleFT reported the same issue 24 hours later.

He'd solved the same problem before:

[https://github.com/jbeverly/pam_ssh_agent_auth/blob/master/a...](https://github.com/jbeverly/pam_ssh_agent_auth/blob/master/authfd.c#L105-L159)

~~~
tedunangst
Apropos whatevs, that is some wild indentation. The block at the bottom, that
actually does the connect, none of the code after the if is what it looks like
it is. If you know the author, might mention this.

------
8_hours_ago
Wow! That bug report and follow-up is absolutely amazing!! If anyone is ever
trying to convince a company to release code as open source, this is the best
possible example to give.

------
peterwwillis
I highly recommend avoiding PAM if you care about security.

Also, was this written because pam_ssh_agent_auth does not support
certificates specifically? If so, why wouldn't they just modify the existing
module? Another example of "Hey let's re-engineer the wheel for fun" ?

------
dorianm
Then OpenSSL environment variables are security vulnerabilities too?
[https://news.ycombinator.com/item?id=13558750](https://news.ycombinator.com/item?id=13558750)

~~~
detaro
Not by themselves, but they could be part of one in a specific scenario.

------
tomohawk
js; dr

~~~
Shanea93
I copied the content here for anyone in a similar situation to the parent
commenter: [https://justpaste.it/14pz7](https://justpaste.it/14pz7)

The HTML hidden in that mountain of div tags is remarkably well formed for the
standard I see around on the "modern web".

~~~
mirimir
True. But it is ironic for a site named "hackerone.com" to serve _nothing_
with Javascript blocked. Or maybe just a bad joke ;)

