View Issue Details

IDProjectCategoryView StatusLast Update
0001108bareos-core[All Projects] directorpublic2019-08-09 17:11
ReporterjoergsAssigned To 
Status newResolutionopen 
Product Version19.2.1 
Target VersionFixed in Version 
Summary0001108: PAM users can be misused to directly connect to the bareos-director without password
DescriptionWhen using PAM as authentication method, the user password in the bareos-director is not used for authentication. However, the bareos configuration requires a password. In the documentation the password is set to an empty string ("").

However, these users/consoles can be used to login via bconsole *without* password.
This is of course a security problem.
Steps To ReproduceInstall bareos
Create following files:

Console {
  Name = pam
  Password = secret
  UsePamAuthentication = yes

Console {
  Name = user1
  Password = ""
  Profile = admin

Director {
  Name = bareos-dir
  address = localhost
  Password = "UNUSED"

Console {
  Name = "user1"
  Password = ""

systemctl restart bareos-dir.service

bconsole -c bconsole-user1.conf
Connecting to Director localhost:9101
 Encryption: ECDHE-PSK-CHACHA20-POLY1305
1000 OK: bareos-dir Version: 19.1.2 (01 February 2019) build binary binaries are UNSUPPORTED by
Get official binaries and vendor support on
You are logged in as: user1

Enter a period to cancel a command.
Additional InformationTemporary workaround:
create PAM users with random passwords.
TagsNo tags attached.
bareos-master: impact
bareos-master: action
bareos-18.2: impact
bareos-18.2: action
bareos-17.2: impact
bareos-17.2: action
bareos-16.2: impact
bareos-16.2: action
bareos-15.2: impact
bareos-15.2: action
bareos-14.2: impact
bareos-14.2: action
bareos-13.2: impact
bareos-13.2: action
bareos-12.4: impact
bareos-12.4: action


There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2019-08-09 17:11 joergs New Issue