Is there a fix available for CAN-2003-0190

Senthil Kumar senthilkumar_sen at hotpop.com
Thu Dec 23 22:48:58 EST 2004


Sergio Gelato wrote;
> I see that the rest of that function has an "if (problem) goto out;" after
> every krb5 library call. Doesn't that also introduce measurable time
> differences? Interesting.

I wrote a test case with expect to measure the time difference for valid and 
invalid user with the same workaround as said before. It seems to have same 
amount of delay.
Logs:
Bad user:
spawn time /opt/ssh/bin/ssh -l hil 127.0.0.1 ls /usr/bin/sh
hil at 127.0.0.1's password:
Permission denied, please try again.
hil at 127.0.0.1's password:
Permission denied, please try again.
hil at 127.0.0.1's password:
Received disconnect from 127.0.0.1: 2: Too many authentication failures for 
hil

real        6.4
user        0.0
sys         0.0

Good user:
spawn time /opt/ssh/bin/ssh -l senthil 127.0.0.1 ls /usr/bin/sh
senthil at 127.0.0.1's password:
Permission denied, please try again.
senthil at 127.0.0.1's password:
Permission denied, please try again.
senthil at 127.0.0.1's password:
Received disconnect from 127.0.0.1: 2: Too many authentication failures for 
senthil

real        6.4
user        0.0
sys         0.0


Also the `if (problem) goto out;`  loop doesn't introduce a time difference, 
bcoz the  krb5 library call krb5_get_init_creds_password() fails for both 
validuser+badpasswd and invaliduser+badpasswd. I hereby attach a test 
program which points that the above combinations have same fail sequence. 
However when the program is invoked with validuser+goodkerberospasswd, it 
will have different sequence.

So I like to know whether the removal of authctxt->valid checking in 
auth-krb5.c have any other impact.

Note: I dont know how HEIMDAL will treat it. I use only MIT kerberos.

Thanks & regards,
Senthil Kumar.



----- Original Message ----- 
From: "Sergio Gelato" <Sergio.Gelato at astro.su.se>
To: "OpenSSH Devel List" <openssh-unix-dev at mindrot.org>
Sent: Wednesday, December 22, 2004 6:58 PM
Subject: Re: Is there a fix available for CAN-2003-0190


>* Senthil Kumar [2004-12-22 15:50:52 +0530]:
>> I tried the following  workaround in auth-krb5.c to overcome the 
>> difference
>> in appearance of delay in password prompts for valid and in valid users 
>> in
>> OpenSSH-3.9p1.
>>
>> diff auth-krb5.c auth-krb5.c-fix
>> 78,79d77
>> <       if (!authctxt->valid)
>> <               return (0);
>> 80a79,81
>> >         if (!authctxt->valid)
>> >           ;;
>
> It looks to me like you're introducing a bug here. Looking at the code
> immediately after that test makes it obvious:
>
>        temporarily_use_uid(authctxt->pw);
>
> If the authentication context is invalid, you shouldn't be passing it
> as an argument to anything. Garbage in, garbage out, the saying goes.
> In this case you're going to setuid() based on the invalid data...
>
>> With this, there is no difference in time delay for appearance of 
>> password
>> prompts for both valid and invalid users with the following options in
>> sshd configuration.
>
> I see that the rest of that function has an "if (problem) goto out;" after
> every krb5 library call. Doesn't that also introduce measurable time
> differences? Interesting.
>
> Maybe one should fill in a dummy, valid authctxt in such cases, and
> make a note to fail the authentication at the end of the process.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.791 / Virus Database: 535 - Release Date: 11/14/2004 


More information about the openssh-unix-dev mailing list