Bug 1169843 (CVE-2014-9278) - CVE-2014-9278 openssh: ~/.k5users unexpectedly grants remote login
Summary: CVE-2014-9278 openssh: ~/.k5users unexpectedly grants remote login
Alias: CVE-2014-9278
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1149241 1170744 1170745 1170746
Blocks: 1160532
TreeView+ depends on / blocked
Reported: 2014-12-02 14:48 UTC by Florian Weimer
Modified: 2019-09-29 13:24 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that when OpenSSH was used in a Kerberos environment, remote authenticated users were allowed to log in as a different user if they were listed in the ~/.k5users file of that user, potentially bypassing intended authentication restrictions.
Clone Of:
Last Closed: 2015-03-05 10:20:56 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0425 0 normal SHIPPED_LIVE Moderate: openssh security, bug fix and enhancement update 2015-03-05 14:26:20 UTC

Description Florian Weimer 2014-12-02 14:48:20 UTC

In a Kerberos environment, OpenSSH allows remote, authenticated users
to log in as another user if they are listed in a ~/.k5users file of that
other user.  This unexpectedly alters the system security policy, as
expressed through the ~/.k5users file, because previously, users would
have to log in locally, potentially requiring different forms of
authentication, before they could use the ksu command to switch users.

Comment 1 Florian Weimer 2014-12-02 14:52:31 UTC
The vulnerability exists because of a patch used applied by Fedora and downstreams:


Comment 2 Florian Weimer 2014-12-02 16:53:33 UTC
Proposed fix: Change the magic file name to ~/.ssh/k5users.  This needs careful review to make sure that the file is opened as the correct user, to avoid attacks by moving around ~/.ssh, leading to arbitrary file reads.

Comment 3 Kenneth MacDonald 2014-12-10 17:21:52 UTC
From my reading of the patch, this could also stop users with automounted Kerberised CIFS home directories logging in over ssh.

I have this working on RHEL6 by setting k5login_directory in /etc/krb5.conf so that sshd (via the gssapi libraries, I presume) looks for the k5login file in a local system directory instead of the user's network home.  Otherwise, the automounter detects a failure to mount and refuses to retry for the user until the negative timeout has elapsed.

This patch only looks in the home directory.

Comment 4 Petr Lautrbach 2015-01-13 16:55:06 UTC
I'm not sure why we introduced support for ~/.k5users or who uses it. To drop the whole patchwould be one option.

However I would add a new control option to sshd_conf called KerberosEnablek5users which will control using ~/.k5users files. It would be disabled by default  but it could be enabled by an administrator if she wants users to use it.

Comment 5 Petr Lautrbach 2015-01-13 17:00:40 UTC
sshd_config man page would say:

   Specifies whether to look at .k5users file for GSSAPI authentication access control. Further details are described in ksu(1). The default is “no”.

Comment 6 Petr Lautrbach 2015-01-15 12:04:55 UTC
A little change in the option name:

Using ~/.k5users files will be disabled by default. An administrator could enable it using "GSSAPIEnablek5users=yes"

man sshd_config:

    Specifies whether to look at .k5users file for GSSAPI authentication access control. Further details are described in ksu(1).  The default is “no”.

Comment 7 Petr Lautrbach 2015-01-15 12:05:41 UTC
*** Bug 1149241 has been marked as a duplicate of this bug. ***

Comment 12 Florian Weimer 2015-02-25 09:39:38 UTC
This issue was addressed in Fedora in package versions openssh-6.4p1-8.fc20, openssh-6.6.1p1-11.1.fc21, and openssh-6.7.1p1-1.fc22.

Comment 13 errata-xmlrpc 2015-03-05 09:28:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:0425 https://rhn.redhat.com/errata/RHSA-2015-0425.html

Note You need to log in before you can comment on or make changes to this bug.