|Summary:||CVE-2014-9278 openssh: ~/.k5users unexpectedly grants remote login|
|Product:||[Other] Security Response||Reporter:||Florian Weimer <fweimer>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||jrusnack, k.macdonald, mattias.ellert, mgrepl, pkis, plautrba, tmraz, vkrizan|
|Fixed In Version:||Doc Type:||Bug Fix|
It was found that when OpenSSH was used in a Kerberos environment, remote authenticated users were allowed to log in as a different user if they were listed in the ~/.k5users file of that user, potentially bypassing intended authentication restrictions.
|Last Closed:||2015-03-05 10:20:56 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||1149241, 1170744, 1170745, 1170746|
Description Florian Weimer 2014-12-02 14:48:20 UTC
IssueDescription: In a Kerberos environment, OpenSSH allows remote, authenticated users to log in as another user if they are listed in a ~/.k5users file of that other user. This unexpectedly alters the system security policy, as expressed through the ~/.k5users file, because previously, users would have to log in locally, potentially requiring different forms of authentication, before they could use the ksu command to switch users.
Comment 1 Florian Weimer 2014-12-02 14:52:31 UTC
The vulnerability exists because of a patch used applied by Fedora and downstreams: https://bugzilla.mindrot.org/show_bug.cgi?id=1867 http://thread.gmane.org/gmane.comp.encryption.kerberos.general/15855
Comment 2 Florian Weimer 2014-12-02 16:53:33 UTC
Proposed fix: Change the magic file name to ~/.ssh/k5users. This needs careful review to make sure that the file is opened as the correct user, to avoid attacks by moving around ~/.ssh, leading to arbitrary file reads.
Comment 3 Kenneth MacDonald 2014-12-10 17:21:52 UTC
From my reading of the patch, this could also stop users with automounted Kerberised CIFS home directories logging in over ssh. I have this working on RHEL6 by setting k5login_directory in /etc/krb5.conf so that sshd (via the gssapi libraries, I presume) looks for the k5login file in a local system directory instead of the user's network home. Otherwise, the automounter detects a failure to mount and refuses to retry for the user until the negative timeout has elapsed. This patch only looks in the home directory.
Comment 4 Petr Lautrbach 2015-01-13 16:55:06 UTC
I'm not sure why we introduced support for ~/.k5users or who uses it. To drop the whole patchwould be one option. However I would add a new control option to sshd_conf called KerberosEnablek5users which will control using ~/.k5users files. It would be disabled by default but it could be enabled by an administrator if she wants users to use it.
Comment 5 Petr Lautrbach 2015-01-13 17:00:40 UTC
sshd_config man page would say: KerberosEnablek5users Specifies whether to look at .k5users file for GSSAPI authentication access control. Further details are described in ksu(1). The default is “no”.
Comment 6 Petr Lautrbach 2015-01-15 12:04:55 UTC
A little change in the option name: Using ~/.k5users files will be disabled by default. An administrator could enable it using "GSSAPIEnablek5users=yes" man sshd_config: GSSAPIEnablek5users Specifies whether to look at .k5users file for GSSAPI authentication access control. Further details are described in ksu(1). The default is “no”.
Comment 7 Petr Lautrbach 2015-01-15 12:05:41 UTC
*** Bug 1149241 has been marked as a duplicate of this bug. ***
Comment 12 Florian Weimer 2015-02-25 09:39:38 UTC
This issue was addressed in Fedora in package versions openssh-6.4p1-8.fc20, openssh-6.6.1p1-11.1.fc21, and openssh-6.7.1p1-1.fc22.