Bug 1149241 - .k5users should be used only with ksu
Summary: .k5users should be used only with ksu
Keywords:
Status: CLOSED DUPLICATE of bug 1170745
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openssh
Version: 7.1
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Petr Lautrbach
QA Contact: Patrik Kis
URL:
Whiteboard:
Depends On:
Blocks: CVE-2014-9278
TreeView+ depends on / blocked
 
Reported: 2014-10-03 15:05 UTC by Patrik Kis
Modified: 2015-01-26 13:23 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-01-15 12:05:41 UTC
Target Upstream Version:


Attachments (Terms of Use)
KerberosEnablek5users.patch (3.85 KB, text/plain)
2015-01-13 16:58 UTC, Petr Lautrbach
no flags Details

Description Patrik Kis 2014-10-03 15:05:38 UTC
Description of problem:
.k5users is closely related to ksu only, at least this is suggested by documentation (.k5users is always mentioned only in ksu related documents, at least what I've found)
So one would expect that principals listed there can log in only via ksu, but not they can also via ssh.
In older releases (RHEL-6: krb5-1.10.3-33.el6 or RHEL-5 too) that was the case, but in RHEL-7 this seems changed.

If this change wasn't intentional then this can be considered regression against krb5-1.10 and older (RHEL-6). If the change was intentional, it should be documented.

Version-Release number of selected component (if applicable):
krb5-1.12.2-8.el7
or
krb5-1.11.3-49.el7

How reproducible:
always

Steps to Reproduce:
# kinit alice
Password for alice@ZMRAZ.COM: 
# ssh alice@`hostname`
Last login: Fri Oct  3 16:51:15 2014 from rhel7
[alice@rhel70 ~]$ exit
logout
Connection to rhel70.pkis.net closed.

# kdestroy 
# kinit bob
Password for bob@ZMRAZ.COM: 
# ssh alice@`hostname`
alice@rhel70.pkis.net's password: 

#
# echo bob@ZMRAZ.COM >/home/alice/.k5login
# chown alice:alice /home/alice/.k5login
# ssh alice@`hostname`
Last login: Fri Oct  3 16:56:34 2014 from rhel7
[alice@rhel70 ~]$ exit
logout
Connection to rhel70.pkis.net closed.
#
# ssh alice@`hostname`
Last login: Fri Oct  3 16:58:44 2014 from rhel7
[alice@rhel70 ~]$ exit
logout
Connection to rhel70.pkis.net closed.
# 

^^^ This suppose to fail IMHO

# kdestroy 
# kinit alice
# ssh alice@`hostname`
alice@rhel70.pkis.net's password: 

#

^^^ and this pass

Comment 2 Nalin Dahyabhai 2014-10-03 20:51:40 UTC
The reproducer doesn't modify alice's .k5users file, so I'm a bit confused about what we're being shown here.

Comment 3 Simo Sorce 2014-10-04 18:36:32 UTC
The k5login manpage quite explicitly mentions remote access as the main use case.
An excerpt:
       Suppose the user alice had a .k5login file in her home  directory  con‐
       taining the following line:

              bob@FOOBAR.ORG

       This  would  allow  bob  to  use Kerberos network applications, such as
       ssh(1), to access alice's account, using bob's Kerberos tickets.

And afaik this has always been the case.

I am closing as NOTABUG.

Comment 4 Sumit Bose 2014-10-06 07:23:38 UTC
I'm not sure if your reproducer is correct either. Did you wanted to say

# echo bob@ZMRAZ.COM >/home/alice/.k5users
# chown alice:alice /home/alice/.k5users
# ssh alice@`hostname`


(.k5users instead of .k5login)

If this is the case you might want to open this ticket against openssh becasue its the openssh's sshd which offers this functionality. The idea was that ssh can be used like ksu to allow the execution specific commands as the target users. But this requires that the list of allowed commands must follow the principal in .k5users. If there is no command I would expect that .k5users bahave like .k5login and allows shell (i.e. general) access.

Comment 5 Patrik Kis 2014-10-06 08:09:54 UTC
(In reply to Sumit Bose from comment #4)
> I'm not sure if your reproducer is correct either. Did you wanted to say
> 
> # echo bob@ZMRAZ.COM >/home/alice/.k5users
> # chown alice:alice /home/alice/.k5users
> # ssh alice@`hostname`
> 
> 
> (.k5users instead of .k5login)
> 

Yes, that was what I meant. Sorry, it was a copy/paste error.

> If this is the case you might want to open this ticket against openssh
> becasue its the openssh's sshd which offers this functionality. The idea was
> that ssh can be used like ksu to allow the execution specific commands as
> the target users. But this requires that the list of allowed commands must
> follow the principal in .k5users. If there is no command I would expect that
> .k5users bahave like .k5login and allows shell (i.e. general) access.

You are right. It is in sshd man page, I should have checked that. I blindly thought that krb5 changed. But since the new behaviour is documented in sshd man page, and seems to work as documented, I don't think the case needs to be forwarded to ssh. Thanks for explanation; this is not a bug, indeed.

Comment 6 Patrik Kis 2014-10-06 08:44:47 UTC
One more question. Shouldn't the "k5users" method listed/implemented here too? 

http://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html#localauth-interface

k5login is listed there and I can disable ssh login with:

[plugins]
 localauth = {
  disable = k5login
 }

if k5login is configured. But k5users can not be disabled.

Comment 7 Simo Sorce 2014-10-06 13:37:30 UTC
k5users is specific to ksu, krb5.conf knows nothing about it.

Comment 10 Petr Lautrbach 2015-01-13 16:51:58 UTC
I'm not sure why we introduced support for ~/.k5users or who uses it. To drop the hole patch with this would be one option.

However I would add a new control option to sshd_conf called KerberosEnablek5users which will control using ~/.k5users files. It would be disabled by default due to CVE-2014-9278  but it could be enabled by an administrator.

There will be one check in the code:

--- a/gss-serv-krb5.c
+++ b/gss-serv-krb5.c
@@ -269,7 +269,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name,
 
        snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
        /* If both .k5login and .k5users DNE, self-login is ok. */
-       if (!k5login_exists && (access(file, F_OK) == -1)) {
+       if ( !options.enable_k5users || (!k5login_exists && (access(file, F_OK) == -1))) {
                 return ssh_krb5_kuserok(krb_context, principal, luser,
                                         k5login_exists);
        }

Comment 11 Petr Lautrbach 2015-01-13 16:58:17 UTC
Created attachment 979678 [details]
KerberosEnablek5users.patch

KerberosUseKuserok
   Specifies whether to look at .k5users file for GSSAPI authentication access control. Further details are described in ksu(1). The default is “no”.

Comment 12 Petr Lautrbach 2015-01-13 17:01:00 UTC
It should be:

KerberosEnablek5users
   Specifies whether to look at .k5users file for GSSAPI authentication access control. Further details are described in ksu(1). The default is “no”.

Comment 14 Petr Lautrbach 2015-01-15 12:05:41 UTC
After discussion with Patrick, I'm closing this as a duplicate of 1169843

*** This bug has been marked as a duplicate of bug 1169843 ***

Comment 15 Petr Lautrbach 2015-01-26 13:23:51 UTC

*** This bug has been marked as a duplicate of bug 1170745 ***


Note You need to log in before you can comment on or make changes to this bug.