Is there a fix available for CAN-2003-0190
Senthil Kumar
senthilkumar_sen at hotpop.com
Thu Dec 23 22:48:58 EST 2004
Sergio Gelato wrote;
> I see that the rest of that function has an "if (problem) goto out;" after
> every krb5 library call. Doesn't that also introduce measurable time
> differences? Interesting.
I wrote a test case with expect to measure the time difference for valid and
invalid user with the same workaround as said before. It seems to have same
amount of delay.
Logs:
Bad user:
spawn time /opt/ssh/bin/ssh -l hil 127.0.0.1 ls /usr/bin/sh
hil at 127.0.0.1's password:
Permission denied, please try again.
hil at 127.0.0.1's password:
Permission denied, please try again.
hil at 127.0.0.1's password:
Received disconnect from 127.0.0.1: 2: Too many authentication failures for
hil
real 6.4
user 0.0
sys 0.0
Good user:
spawn time /opt/ssh/bin/ssh -l senthil 127.0.0.1 ls /usr/bin/sh
senthil at 127.0.0.1's password:
Permission denied, please try again.
senthil at 127.0.0.1's password:
Permission denied, please try again.
senthil at 127.0.0.1's password:
Received disconnect from 127.0.0.1: 2: Too many authentication failures for
senthil
real 6.4
user 0.0
sys 0.0
Also the `if (problem) goto out;` loop doesn't introduce a time difference,
bcoz the krb5 library call krb5_get_init_creds_password() fails for both
validuser+badpasswd and invaliduser+badpasswd. I hereby attach a test
program which points that the above combinations have same fail sequence.
However when the program is invoked with validuser+goodkerberospasswd, it
will have different sequence.
So I like to know whether the removal of authctxt->valid checking in
auth-krb5.c have any other impact.
Note: I dont know how HEIMDAL will treat it. I use only MIT kerberos.
Thanks & regards,
Senthil Kumar.
----- Original Message -----
From: "Sergio Gelato" <Sergio.Gelato at astro.su.se>
To: "OpenSSH Devel List" <openssh-unix-dev at mindrot.org>
Sent: Wednesday, December 22, 2004 6:58 PM
Subject: Re: Is there a fix available for CAN-2003-0190
>* Senthil Kumar [2004-12-22 15:50:52 +0530]:
>> I tried the following workaround in auth-krb5.c to overcome the
>> difference
>> in appearance of delay in password prompts for valid and in valid users
>> in
>> OpenSSH-3.9p1.
>>
>> diff auth-krb5.c auth-krb5.c-fix
>> 78,79d77
>> < if (!authctxt->valid)
>> < return (0);
>> 80a79,81
>> > if (!authctxt->valid)
>> > ;;
>
> It looks to me like you're introducing a bug here. Looking at the code
> immediately after that test makes it obvious:
>
> temporarily_use_uid(authctxt->pw);
>
> If the authentication context is invalid, you shouldn't be passing it
> as an argument to anything. Garbage in, garbage out, the saying goes.
> In this case you're going to setuid() based on the invalid data...
>
>> With this, there is no difference in time delay for appearance of
>> password
>> prompts for both valid and invalid users with the following options in
>> sshd configuration.
>
> I see that the rest of that function has an "if (problem) goto out;" after
> every krb5 library call. Doesn't that also introduce measurable time
> differences? Interesting.
>
> Maybe one should fill in a dummy, valid authctxt in such cases, and
> make a note to fail the authentication at the end of the process.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.791 / Virus Database: 535 - Release Date: 11/14/2004
More information about the openssh-unix-dev
mailing list