Possible security flaw in OpenSSH and/or pam_krb5
This is a discussion on Possible security flaw in OpenSSH and/or pam_krb5 within the OpenSSH Development forums, part of the Networking and Network Related category; openssh-unix-dev@mindrot.org kerberos@ncsa.uiuc.edu We believe there is a security flaw in either OpenSSH and/...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-08-2005
|
|||
|
|||
Possible security flaw in OpenSSH and/or pam_krb5
openssh-unix-dev@mindrot.org kerberos@ncsa.uiuc.edu We believe there is a security flaw in either OpenSSH and/or RedHat's pam_krb5 module. When a Kerberos principal has the REQUIRES_PWCHANGE (+needchange) flag set, OpenSSH+pam_krb5 will still successfully authenticate the user. Local 'su' and 'login' fail in this case which leads us to believe it's at least partially a problem with OpenSSH's PAM code. We first noticed this flaw on SLES8 and verified the same problem on RedHat 9 and RHEL 3. RedHat 9 pam_krb5-1.60-1 RedHat Enterprise Linux AS 3 Update 5 pam_krb5-1.75-1 SuSE SLES 8 pam_krb5-1.0.3-199 Most of my work has been with RedHat 9 and I see the problem with OpenSSH versions 3.7.1p2, 3.8.1p1, and 4.1p1. Typically we try not to use pam_krb5, opting for native kerberos authentication wherever possible. However, the ramification of this problem is that accounts can still be used after we've 'expired' them on the KDCs. Last week (when we still thought it was solely a pam_krb5 issue) we sent an email to some of the vendors. The only one who responded was Nicolas Williams from Sun who has been very helpful. I'm not very familiar with how PAM works or the OpenSSH codebase for that matter, so I'm including some of his tips in case it helps in the investigation of the problem: ------------------------------------------ - If the application is not calling, or ignoring non-success return values of pam_acct_mgmt() yet still allowing access to the account, then the application has a gaping hole and is at fault. - A PAM module may defer authentication and authorization, in password-change-required situations, to pam_sm_chauthtok(3PAM), but if so it must: a) return PAM_SUCCESS from its pam_sm_authenticate(3PAM) _AND_ b) return PAM_NEW_AUTHTOK_REQD from its pam_sm_acct_mgmt(3PAM). Kerberos V and LDAP BIND type modules typically do this. If it does otherwise then it will either not support password aging or sport a gaping security hole. - Such modules' account modules must be configured as required or requisite or binding. - Care must be taken not to configure PAM account stacks in such a way that another sufficient or binding module may preempt calls to pam_sm_acct_mgmt(3PAM) entry points of modules such as pam_krb5. ------------------------------------------ We have not tested OpenSSH with PAM under Solaris. If anyone has any questions regarding our setup I'll do my best to answer them. We're hoping someone can duplicate the problem and we're willing to test any fixes/patches that come up. Thanks, Mike --------------------------------------------------- Mike Dopheide dopheide@ncsa.uiuc.edu System Engineer Phone: 217.244.0299 NCSA, University of Illinois Fax: 217.244.1987 _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@mindrot.org http://www.mindrot.org/mailman/listi...enssh-unix-dev 
|
Linear Mode
