IssueDescription: In a Kerberos environment, OpenSSH allows remote, authenticated users to log in as another user if they are listed in a ~/.k5users file of that other user. This unexpectedly alters the system security policy, as expressed through the ~/.k5users file, because previously, users would have to log in locally, potentially requiring different forms of authentication, before they could use the ksu command to switch users.
The vulnerability exists because of a patch used applied by Fedora and downstreams: https://bugzilla.mindrot.org/show_bug.cgi?id=1867 http://thread.gmane.org/gmane.comp.encryption.kerberos.general/15855
Proposed fix: Change the magic file name to ~/.ssh/k5users. This needs careful review to make sure that the file is opened as the correct user, to avoid attacks by moving around ~/.ssh, leading to arbitrary file reads.
From my reading of the patch, this could also stop users with automounted Kerberised CIFS home directories logging in over ssh. I have this working on RHEL6 by setting k5login_directory in /etc/krb5.conf so that sshd (via the gssapi libraries, I presume) looks for the k5login file in a local system directory instead of the user's network home. Otherwise, the automounter detects a failure to mount and refuses to retry for the user until the negative timeout has elapsed. This patch only looks in the home directory.
I'm not sure why we introduced support for ~/.k5users or who uses it. To drop the whole patchwould be one option. However I would add a new control option to sshd_conf called KerberosEnablek5users which will control using ~/.k5users files. It would be disabled by default but it could be enabled by an administrator if she wants users to use it.
sshd_config man page would say: KerberosEnablek5users Specifies whether to look at .k5users file for GSSAPI authentication access control. Further details are described in ksu(1). The default is “no”.
A little change in the option name: Using ~/.k5users files will be disabled by default. An administrator could enable it using "GSSAPIEnablek5users=yes" man sshd_config: GSSAPIEnablek5users Specifies whether to look at .k5users file for GSSAPI authentication access control. Further details are described in ksu(1). The default is “no”.
*** Bug 1149241 has been marked as a duplicate of this bug. ***
This issue was addressed in Fedora in package versions openssh-6.4p1-8.fc20, openssh-6.6.1p1-11.1.fc21, and openssh-6.7.1p1-1.fc22.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:0425 https://rhn.redhat.com/errata/RHSA-2015-0425.html