[Bug 2107] seccomp sandbox breaks GSSAPI

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Feb 26 21:06:06 EST 2014


https://bugzilla.mindrot.org/show_bug.cgi?id=2107

--- Comment #7 from Georg Hopp <georg at steffers.org> ---
But don't commit it right now...

A moment ago I realized a problem that might relate to this or not.

I am now able to ssh into the machines without a TGT and without a
correct password. This might also be related to pam but I am not sure
about this now.

Anyway a su fails as expected.


The auth log of a su with a wrong password:

Feb 26 10:55:52 host su[9725]: pam_unix(su:auth): authentication
failure; logname=ghopp uid=2001 euid=0 tty=/dev/pts/17 ruser=test
rhost=  user=ghopp
Feb 26 10:55:52 host su[9725]: pam_sss(su:auth): system info:
[Preauthentication failed]
Feb 26 10:55:52 host su[9725]: pam_sss(su:auth): authentication
failure; logname=ghopp uid=2001 euid=0 tty=/dev/pts/17 ruser=test
rhost= user=ghopp
Feb 26 10:55:52 host su[9725]: pam_sss(su:auth): received for user
ghopp: 17 (Failure setting user credentials)
Feb 26 10:55:54 host su[9725]: pam_authenticate: Permission denied
Feb 26 10:55:54 host su[9725]: FAILED su for ghopp by test
Feb 26 10:55:54 host su[9725]: - /dev/pts/17 test:ghopp


The auth log of a su with the correct password:

Feb 26 10:57:13 host su[9729]: pam_unix(su:auth): authentication
failure; logname=ghopp uid=2001 euid=0 tty=/dev/pts/17 ruser=test
rhost=  user=ghopp
Feb 26 10:57:14 host su[9729]: pam_sss(su:auth): authentication
success; logname=ghopp uid=2001 euid=0 tty=/dev/pts/17 ruser=test
rhost= user=ghopp
Feb 26 10:57:14 host su[9729]: Successful su for ghopp by test
Feb 26 10:57:14 host su[9729]: + /dev/pts/17 test:ghopp
Feb 26 10:57:14 host su[9729]: pam_unix(su:session): session opened for
user ghopp by ghopp(uid=2001)


and the auth log of an ssh without a TGT and with a wrong password:

Feb 26 10:58:05 host sshd[9736]: SSH: Server;Ltype: Version;Remote:
2001:4ba0:ffff:138:1::1000-42676;Protocol: 2.0;Client:
OpenSSH_6.4p1-hpn14v2
Feb 26 10:58:06 host sshd[9736]: SSH: Server;Ltype: Kex;Remote:
2001:4ba0:ffff:138:1::1000-42676;Enc: aes128-ctr;MAC:
hmac-md5-etm at openssh.com;Comp: none [preauth]
Feb 26 10:58:06 host sshd[9736]: SSH: Server;Ltype: Authname;Remote:
2001:4ba0:ffff:138:1::1000-42676;Name: ghopp [preauth]
Feb 26 10:58:08 host sshd[9738]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=2001:4ba0:ffff:138:1::1000  user=ghopp
Feb 26 10:58:09 host sshd[9738]: pam_sss(sshd:auth): system info:
[Preauthentication failed]
Feb 26 10:58:09 host sshd[9738]: pam_sss(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=2001:4ba0:ffff:138:1::1000 user=ghopp
Feb 26 10:58:09 host sshd[9738]: pam_sss(sshd:auth): received for user
ghopp: 17 (Failure setting user credentials)
Feb 26 10:58:09 host sshd[9736]: Accepted keyboard-interactive/pam for
ghopp from 2001:4ba0:ffff:138:1::1000 port 42676 ssh2
Feb 26 10:58:09 host sshd[9736]: pam_unix(sshd:session): session opened
for user ghopp by (uid=0)
Feb 26 10:58:09 host sshd[9740]: SSH: Server;Ltype: Kex;Remote:
2001:4ba0:ffff:138:1::1000-42676;Enc: aes128-ctr;MAC:
hmac-md5-etm at openssh.com;Comp: none


After that I am on the machine.

For me it looks like ssh accepts any password now.
As no TGT is involved into this I guess that this can also be
reproduced in a non kerberized environment.

regards
   Georg

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list