1149241 – .k5users should be used only with ksu

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1149241 - .k5users should be used only with ksu

Summary: .k5users should be used only with ksu

Keywords:
Status:	CLOSED DUPLICATE of bug 1170745
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	openssh
Sub Component:
Version:	7.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Petr Lautrbach
QA Contact:	Patrik Kis
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	CVE-2014-9278
TreeView+	depends on / blocked

Reported:	2014-10-03 15:05 UTC by Patrik Kis
Modified:	2015-01-26 13:23 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-01-15 12:05:41 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
KerberosEnablek5users.patch (3.85 KB, text/plain) 2015-01-13 16:58 UTC, Petr Lautrbach	no flags	Details
View All

Description Patrik Kis 2014-10-03 15:05:38 UTC

Description of problem:
.k5users is closely related to ksu only, at least this is suggested by documentation (.k5users is always mentioned only in ksu related documents, at least what I've found)
So one would expect that principals listed there can log in only via ksu, but not they can also via ssh.
In older releases (RHEL-6: krb5-1.10.3-33.el6 or RHEL-5 too) that was the case, but in RHEL-7 this seems changed.

If this change wasn't intentional then this can be considered regression against krb5-1.10 and older (RHEL-6). If the change was intentional, it should be documented.

Version-Release number of selected component (if applicable):
krb5-1.12.2-8.el7
or
krb5-1.11.3-49.el7

How reproducible:
always

Steps to Reproduce:
# kinit alice
Password for alice: 
# ssh alice@`hostname`
Last login: Fri Oct  3 16:51:15 2014 from rhel7
[alice@rhel70 ~]$ exit
logout
Connection to rhel70.pkis.net closed.

# kdestroy 
# kinit bob
Password for bob: 
# ssh alice@`hostname`
alice.net's password: 

#
# echo bob >/home/alice/.k5login
# chown alice:alice /home/alice/.k5login
# ssh alice@`hostname`
Last login: Fri Oct  3 16:56:34 2014 from rhel7
[alice@rhel70 ~]$ exit
logout
Connection to rhel70.pkis.net closed.
#
# ssh alice@`hostname`
Last login: Fri Oct  3 16:58:44 2014 from rhel7
[alice@rhel70 ~]$ exit
logout
Connection to rhel70.pkis.net closed.
# 

^^^ This suppose to fail IMHO

# kdestroy 
# kinit alice
# ssh alice@`hostname`
alice.net's password: 

#

^^^ and this pass

Comment 2 Nalin Dahyabhai 2014-10-03 20:51:40 UTC

The reproducer doesn't modify alice's .k5users file, so I'm a bit confused about what we're being shown here.

Comment 3 Simo Sorce 2014-10-04 18:36:32 UTC

The k5login manpage quite explicitly mentions remote access as the main use case.
An excerpt:
       Suppose the user alice had a .k5login file in her home  directory  con‐
       taining the following line:

              bob

       This  would  allow  bob  to  use Kerberos network applications, such as
       ssh(1), to access alice's account, using bob's Kerberos tickets.

And afaik this has always been the case.

I am closing as NOTABUG.

Comment 4 Sumit Bose 2014-10-06 07:23:38 UTC

I'm not sure if your reproducer is correct either. Did you wanted to say

# echo bob >/home/alice/.k5users
# chown alice:alice /home/alice/.k5users
# ssh alice@`hostname`


(.k5users instead of .k5login)

If this is the case you might want to open this ticket against openssh becasue its the openssh's sshd which offers this functionality. The idea was that ssh can be used like ksu to allow the execution specific commands as the target users. But this requires that the list of allowed commands must follow the principal in .k5users. If there is no command I would expect that .k5users bahave like .k5login and allows shell (i.e. general) access.

Comment 5 Patrik Kis 2014-10-06 08:09:54 UTC

(In reply to Sumit Bose from comment #4)
> I'm not sure if your reproducer is correct either. Did you wanted to say
> 
> # echo bob >/home/alice/.k5users
> # chown alice:alice /home/alice/.k5users
> # ssh alice@`hostname`
> 
> 
> (.k5users instead of .k5login)
> 

Yes, that was what I meant. Sorry, it was a copy/paste error.

> If this is the case you might want to open this ticket against openssh
> becasue its the openssh's sshd which offers this functionality. The idea was
> that ssh can be used like ksu to allow the execution specific commands as
> the target users. But this requires that the list of allowed commands must
> follow the principal in .k5users. If there is no command I would expect that
> .k5users bahave like .k5login and allows shell (i.e. general) access.

You are right. It is in sshd man page, I should have checked that. I blindly thought that krb5 changed. But since the new behaviour is documented in sshd man page, and seems to work as documented, I don't think the case needs to be forwarded to ssh. Thanks for explanation; this is not a bug, indeed.

Comment 6 Patrik Kis 2014-10-06 08:44:47 UTC

One more question. Shouldn't the "k5users" method listed/implemented here too? 

http://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html#localauth-interface

k5login is listed there and I can disable ssh login with:

[plugins]
 localauth = {
  disable = k5login
 }

if k5login is configured. But k5users can not be disabled.

Comment 7 Simo Sorce 2014-10-06 13:37:30 UTC

k5users is specific to ksu, krb5.conf knows nothing about it.

Comment 10 Petr Lautrbach 2015-01-13 16:51:58 UTC

I'm not sure why we introduced support for ~/.k5users or who uses it. To drop the hole patch with this would be one option.

However I would add a new control option to sshd_conf called KerberosEnablek5users which will control using ~/.k5users files. It would be disabled by default due to CVE-2014-9278  but it could be enabled by an administrator.

There will be one check in the code:

--- a/gss-serv-krb5.c
+++ b/gss-serv-krb5.c
@@ -269,7 +269,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name,
 
        snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
        /* If both .k5login and .k5users DNE, self-login is ok. */
-       if (!k5login_exists && (access(file, F_OK) == -1)) {
+       if ( !options.enable_k5users || (!k5login_exists && (access(file, F_OK) == -1))) {
                 return ssh_krb5_kuserok(krb_context, principal, luser,
                                         k5login_exists);
        }

Comment 11 Petr Lautrbach 2015-01-13 16:58:17 UTC

Created attachment 979678 [details]
KerberosEnablek5users.patch

KerberosUseKuserok
   Specifies whether to look at .k5users file for GSSAPI authentication access control. Further details are described in ksu(1). The default is “no”.

Comment 12 Petr Lautrbach 2015-01-13 17:01:00 UTC

It should be:

KerberosEnablek5users
   Specifies whether to look at .k5users file for GSSAPI authentication access control. Further details are described in ksu(1). The default is “no”.

Comment 14 Petr Lautrbach 2015-01-15 12:05:41 UTC

After discussion with Patrick, I'm closing this as a duplicate of 1169843

*** This bug has been marked as a duplicate of bug 1169843 ***

Comment 15 Petr Lautrbach 2015-01-26 13:23:51 UTC


*** This bug has been marked as a duplicate of bug 1170745 ***

Note You need to log in before you can comment on or make changes to this bug.