Bug 1169843 – CVE-2014-9278 openssh: ~/.k5users unexpectedly grants remote login

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1169843 - (CVE-2014-9278) CVE-2014-9278 openssh: ~/.k5users unexpectedly grants remote login

Summary:	CVE-2014-9278 openssh: ~/.k5users unexpectedly grants remote login

Status:	CLOSED ERRATA

Aliases:	CVE-2014-9278

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,public=20141003,reported=2...
Keywords:	Security

Depends On:	1149241 1170744 1170745 1170746
Blocks:	1160532
	Show dependency tree / graph

Reported:	2014-12-02 09:48 EST by Florian Weimer
Modified:	2015-07-31 08:41 EDT (History)
CC List:	8 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	It was found that when OpenSSH was used in a Kerberos environment, remote authenticated users were allowed to log in as a different user if they were listed in the ~/.k5users file of that user, potentially bypassing intended authentication restrictions.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2015-03-05 05:20:56 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0425	normal	SHIPPED_LIVE	Moderate: openssh security, bug fix and enhancement update	2015-03-05 09:26:20 EST

Groups: None (edit)

Description Florian Weimer 2014-12-02 09:48:20 EST

IssueDescription:

In a Kerberos environment, OpenSSH allows remote, authenticated users
to log in as another user if they are listed in a ~/.k5users file of that
other user.  This unexpectedly alters the system security policy, as
expressed through the ~/.k5users file, because previously, users would
have to log in locally, potentially requiring different forms of
authentication, before they could use the ksu command to switch users.

Comment 1 Florian Weimer 2014-12-02 09:52:31 EST

The vulnerability exists because of a patch used applied by Fedora and downstreams:

https://bugzilla.mindrot.org/show_bug.cgi?id=1867
http://thread.gmane.org/gmane.comp.encryption.kerberos.general/15855

Comment 2 Florian Weimer 2014-12-02 11:53:33 EST

Proposed fix: Change the magic file name to ~/.ssh/k5users.  This needs careful review to make sure that the file is opened as the correct user, to avoid attacks by moving around ~/.ssh, leading to arbitrary file reads.

Comment 3 Kenneth MacDonald 2014-12-10 12:21:52 EST

From my reading of the patch, this could also stop users with automounted Kerberised CIFS home directories logging in over ssh.

I have this working on RHEL6 by setting k5login_directory in /etc/krb5.conf so that sshd (via the gssapi libraries, I presume) looks for the k5login file in a local system directory instead of the user's network home.  Otherwise, the automounter detects a failure to mount and refuses to retry for the user until the negative timeout has elapsed.

This patch only looks in the home directory.

Comment 4 Petr Lautrbach 2015-01-13 11:55:06 EST

I'm not sure why we introduced support for ~/.k5users or who uses it. To drop the whole patchwould be one option.

However I would add a new control option to sshd_conf called KerberosEnablek5users which will control using ~/.k5users files. It would be disabled by default  but it could be enabled by an administrator if she wants users to use it.

Comment 5 Petr Lautrbach 2015-01-13 12:00:40 EST

sshd_config man page would say:

KerberosEnablek5users
   Specifies whether to look at .k5users file for GSSAPI authentication access control. Further details are described in ksu(1). The default is “no”.

Comment 6 Petr Lautrbach 2015-01-15 07:04:55 EST

A little change in the option name:

Using ~/.k5users files will be disabled by default. An administrator could enable it using "GSSAPIEnablek5users=yes"

man sshd_config:

GSSAPIEnablek5users
    Specifies whether to look at .k5users file for GSSAPI authentication access control. Further details are described in ksu(1).  The default is “no”.

Comment 7 Petr Lautrbach 2015-01-15 07:05:41 EST

*** Bug 1149241 has been marked as a duplicate of this bug. ***

Comment 12 Florian Weimer 2015-02-25 04:39:38 EST

This issue was addressed in Fedora in package versions openssh-6.4p1-8.fc20, openssh-6.6.1p1-11.1.fc21, and openssh-6.7.1p1-1.fc22.

Comment 13 errata-xmlrpc 2015-03-05 04:28:44 EST

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:0425 https://rhn.redhat.com/errata/RHSA-2015-0425.html

Note You need to log in before you can comment on or make changes to this bug.