| Summary: | CVE-2014-9278 openssh: ~/.k5users unexpectedly grants remote login | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Florian Weimer <fweimer> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | jrusnack, k.macdonald, mattias.ellert, mgrepl, pkis, plautrba, tmraz, vkrizan |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
It was found that when OpenSSH was used in a Kerberos environment, remote authenticated users were allowed to log in as a different user if they were listed in the ~/.k5users file of that user, potentially bypassing intended authentication restrictions.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-03-05 10:20:56 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | 1149241, 1170744, 1170745, 1170746 | ||
| Bug Blocks: | 1160532 | ||
|
Description
Florian Weimer
2014-12-02 14:48:20 UTC
The vulnerability exists because of a patch used applied by Fedora and downstreams: https://bugzilla.mindrot.org/show_bug.cgi?id=1867 http://thread.gmane.org/gmane.comp.encryption.kerberos.general/15855 Proposed fix: Change the magic file name to ~/.ssh/k5users. This needs careful review to make sure that the file is opened as the correct user, to avoid attacks by moving around ~/.ssh, leading to arbitrary file reads. From my reading of the patch, this could also stop users with automounted Kerberised CIFS home directories logging in over ssh. I have this working on RHEL6 by setting k5login_directory in /etc/krb5.conf so that sshd (via the gssapi libraries, I presume) looks for the k5login file in a local system directory instead of the user's network home. Otherwise, the automounter detects a failure to mount and refuses to retry for the user until the negative timeout has elapsed. This patch only looks in the home directory. I'm not sure why we introduced support for ~/.k5users or who uses it. To drop the whole patchwould be one option. However I would add a new control option to sshd_conf called KerberosEnablek5users which will control using ~/.k5users files. It would be disabled by default but it could be enabled by an administrator if she wants users to use it. sshd_config man page would say: KerberosEnablek5users Specifies whether to look at .k5users file for GSSAPI authentication access control. Further details are described in ksu(1). The default is “no”. A little change in the option name:
Using ~/.k5users files will be disabled by default. An administrator could enable it using "GSSAPIEnablek5users=yes"
man sshd_config:
GSSAPIEnablek5users
Specifies whether to look at .k5users file for GSSAPI authentication access control. Further details are described in ksu(1). The default is “no”.
*** Bug 1149241 has been marked as a duplicate of this bug. *** This issue was addressed in Fedora in package versions openssh-6.4p1-8.fc20, openssh-6.6.1p1-11.1.fc21, and openssh-6.7.1p1-1.fc22. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:0425 https://rhn.redhat.com/errata/RHSA-2015-0425.html |