Bug 611713 - kshd: locuser too long for usernames >= 16 chars
kshd: locuser too long for usernames >= 16 chars
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: krb5 (Show other bugs)
5.5
All Linux
low Severity medium
: rc
: ---
Assigned To: Nalin Dahyabhai
BaseOS QE Security Team
:
Depends On:
Blocks: 632442
  Show dependency treegraph
 
Reported: 2010-07-06 05:10 EDT by Rik Brown
Modified: 2016-01-22 12:07 EST (History)
2 users (show)

See Also:
Fixed In Version: krb5-1.6.1-52.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 632442 (view as bug list)
Environment:
Last Closed: 2011-01-13 18:53:16 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch for krb5 source to set NMAX as UT_NAMESIZE, not 16. (606 bytes, text/plain)
2010-07-06 05:10 EDT, Rik Brown
no flags Details
modified patch (952 bytes, patch)
2010-09-09 18:22 EDT, Nalin Dahyabhai
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0098 normal SHIPPED_LIVE krb5 bug fix and enhancement update 2011-01-12 12:39:25 EST

  None (edit)
Description Rik Brown 2010-07-06 05:10:50 EDT
Created attachment 429710 [details]
Patch for krb5 source to set NMAX as UT_NAMESIZE, not 16.

Description of problem:
If Kerberized rsh is used to attempt to execute a command on a remote machine, logging in as a username with 16 or more characters, a "kshd: locuser too long" message is seen.  However, just performing a login is successful.

Version-Release number of selected component (if applicable):
Appears to affect all versions of Kerberos in RedHat (RHEL4 and RHEL5), as well as upstream krb5-appl-1.0.1.

[RHEL5 box]# rpm -q krb5-workstation
krb5-workstation-1.6.1-36.4

[RHEL4 box]# rpm -q krb5-workstation
krb5-workstation-1.3.4-62.2

How reproducible:
100%

Steps to Reproduce:
1. kinit as any principle (e.g. your own)
2. Attempt to use Kerberos rsh to execute a command on any other Kerberos client as a username with <16 characters.  The user does not need to exist.
      - e.g. # /usr/kerberos/bin/rsh -x -l 123456789012345 some-server uptime
3. Now repeat the command except with any username >=16 characters.
      - e.g. # /usr/kerberos/bin/rsh -x -l 1234567890123456 some-server uptime
4. Now simply attempt to perform a remote login.
      - e.g. # /usr/kerberos/bin/rsh -x -l 1234567890123456 some-server
  
Actual results:
      - (2) A <16 char username will either perform the command correctly or give the expected "kshd: Login incorrect." error if it did not exist.
      - (3) A >=16 char username will see "kshd: locuser too long", regardless of whether the user exists.
      - (4) However when simply performing a remote login the command will be performed correctly, or will be rejected as not authorized if valid permissions/the user didn't exist. - as expected.

Expected results:
      - Successful command completion (or "kshd: Login incorrect." if the user didn't exist) or both tests 2/3.
      - Successful remote login or the expected Kerberos error e.g. not authorized for test 4.
      

Additional info:
It appears that the source code for kshd.c (src/appl/bsd/krshd.c) defines the locuser and remuser char array variables with a size of NMAX+1.  NMAX is #define'd earlier as the fixed figure, 16.  The "getstr" helper function checks the length and throws the aforementioned error (as the user couldn't fit in the char array).

However, the source code for krlogind.c (src/appl/bsd/krlogind.c) defines the similar variables "lusername" and "rusername" as UT_NAMESIZE+1.   UT_NAMESIZE is either defined in the included <utmp.h> (from glibc) or defined as sizeof(((struct utmp *)0)->ut_name).
In RHEL, this equates to 32 characters and I believe (from reading around online) refers to the maximum username size in Linux.   

I have attached a patch which changes kshd.c to simply also include the lines referring to UT_NAMESIZE and define NMAX based upon it.  Thus, consistency is restored and both remote login and kerberos rsh can correctly login to a user up to UT_NAMESIZE.

This patch can be applied to Kerberos 1.6.1-36.4 (RHEL5) and 1.3.4-62.2 (RHEL4).  Other versions and upstream have not been tested vs this patch, but I assume will work too (as upstream does not seem to have changed these much).
Comment 2 Nalin Dahyabhai 2010-08-10 17:09:39 EDT
Using UT_NAMESIZE looks like exactly the right thing to me.  Thanks!
Comment 4 Nalin Dahyabhai 2010-09-09 18:22:41 EDT
Created attachment 446385 [details]
modified patch

Looks like $USER's getting truncated, so we might as well also make the buffer that's used to hold its value bigger.
Comment 8 errata-xmlrpc 2011-01-13 18:53:16 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0098.html

Note You need to log in before you can comment on or make changes to this bug.