Is there a fix available for CAN-2003-0190(with test program)

Senthil Kumar senthilkumar_sen at hotpop.com
Thu Dec 23 23:09:23 EST 2004


> Sergio Gelato wrote;
>> I see that the rest of that function has an "if (problem) goto out;" 
>> after
>> every krb5 library call. Doesn't that also introduce measurable time
>> differences? Interesting.
>
 I wrote a test case with expect to measure the time difference for valid 
and  invalid user with the same workaround as said before. It seems to have 
same
 amount of delay.
 Logs:
 Bad user:
 spawn time /opt/ssh/bin/ssh -l hil 127.0.0.1 ls /usr/bin/sh
 hil at 127.0.0.1's password:
 Permission denied, please try again.
 hil at 127.0.0.1's password:
 Permission denied, please try again.
 hil at 127.0.0.1's password:
 Received disconnect from 127.0.0.1: 2: Too many authentication failures for
 hil

 real        6.4
 user        0.0
 sys         0.0

 Good user:
 spawn time /opt/ssh/bin/ssh -l senthil 127.0.0.1 ls /usr/bin/sh
 senthil at 127.0.0.1's password:
 Permission denied, please try again.
 senthil at 127.0.0.1's password:
 Permission denied, please try again.
 senthil at 127.0.0.1's password:
 Received disconnect from 127.0.0.1: 2: Too many authentication failures for
 senthil

 real        6.4
 user        0.0
 sys         0.0


 Also the `if (problem) goto out;`  loop doesn't introduce a time 
difference,  bcoz the  krb5 library call krb5_get_init_creds_password() 
fails for both
 validuser+badpasswd and invaliduser+badpasswd. I hereby given a test 
program which points that the above combinations have same fail sequence.
 However when the program is invoked with validuser+goodkerberospasswd, it 
will have different sequence.

 So I like to know whether the removal of authctxt->valid checking in 
auth-krb5.c have any other impact.

 Note: I dont know how HEIMDAL will treat it. I use only MIT kerberos.

 Thanks & regards,
 Senthil Kumar.

Test Program:

/* Senthil test program for Kerberos */
/* To compile cc -o check_valid Test_krb5.c -lkrb5 */
/* To run ./check_valid <username> <kerberos passwd> */

#include <stdio.h>
#include <krb5.h>

int main(int argc,char **argv)
{
krb5_error_code problem;
krb5_context context=NULL;
krb5_principal client = NULL;
krb5_creds creds;
char *str=argv[1];
char *mypassword=NULL;

if (context == NULL)
{
        problem = krb5_init_context(&context);
        if(problem)
        {
         printf("\nproblem in initialization and krb5_init_context 
fails\n");
         exit(0);
        }
        else
         printf("\nNo problem in initialization and krb5_init_context 
succeeds\n");
}
problem=krb5_parse_name(context,str,&client);
if(problem)
        {
         printf("\nproblem in parsing and krb5_parse_name fails\n");
         exit(0);
        }
else
        printf("\nNo problem in parsing and krb5_parse_name succeeds\n");

mypassword=argv[2];

problem=krb5_get_init_creds_password(context,&creds,client,(char 
*)mypassword,NULL,NULL,0,NULL,NULL);
if(problem)
        {
         printf("\nProblem in initialization of credentials and 
krb5_get_init_creds_password fails\n");
         exit(0);
        }
else
        printf("\nNo problem in initialization of credentials and 
krb5_get_init_creds_password succeeds\n");
}



>
> ----- Original Message ----- 
> From: "Sergio Gelato" <Sergio.Gelato at astro.su.se>
> To: "OpenSSH Devel List" <openssh-unix-dev at mindrot.org>
> Sent: Wednesday, December 22, 2004 6:58 PM
> Subject: Re: Is there a fix available for CAN-2003-0190
>
>
>>* Senthil Kumar [2004-12-22 15:50:52 +0530]:
>>> I tried the following  workaround in auth-krb5.c to overcome the
>>> difference
>>> in appearance of delay in password prompts for valid and in valid users
>>> in
>>> OpenSSH-3.9p1.
>>>
>>> diff auth-krb5.c auth-krb5.c-fix
>>> 78,79d77
>>> <       if (!authctxt->valid)
>>> <               return (0);
>>> 80a79,81
>>> >         if (!authctxt->valid)
>>> >           ;;
>>
>> It looks to me like you're introducing a bug here. Looking at the code
>> immediately after that test makes it obvious:
>>
>>        temporarily_use_uid(authctxt->pw);
>>
>> If the authentication context is invalid, you shouldn't be passing it
>> as an argument to anything. Garbage in, garbage out, the saying goes.
>> In this case you're going to setuid() based on the invalid data...
>>
>>> With this, there is no difference in time delay for appearance of
>>> password
>>> prompts for both valid and invalid users with the following options in
>>> sshd configuration.
>>
>> I see that the rest of that function has an "if (problem) goto out;" 
>> after
>> every krb5 library call. Doesn't that also introduce measurable time
>> differences? Interesting.
>>
>> Maybe one should fill in a dummy, valid authctxt in such cases, and
>> make a note to fail the authentication at the end of the process.
>>
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.791 / Virus Database: 535 - Release Date: 11/14/2004
>


---

File has not been scanned

Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.791 / Virus Database: 535 - Release Date: 11/14/2004 


More information about the openssh-unix-dev mailing list