Possible security flaw in OpenSSH and/or pam_krb5
Darren Tucker
dtucker at zip.com.au
Thu Jun 9 09:34:50 EST 2005
I can't comment on the Kerberos aspects, but as far as sshd's PAM
interface goes:
Mike Dopheide wrote:
[...]
> - If the application is not calling, or ignoring non-success return
> values of pam_acct_mgmt() yet still allowing access to the account,
> then the application has a gaping hole and is at fault.
sshd calls pam_acct_mgmt (via auth{1,2}.c -> auth-pam.c:do_pam_account).
If it returns PAM_NEW_AUTHTOK_REQD, sshd forces a password change,
either via keyboard-interactive or once the session starts.
You can check what the PAM stack is returning by running sshd in debug
mode and checking for the line "PAM: do_pam_account pam_acct_mgmt = x".
> - A PAM module may defer authentication and authorization, in
> password-change-required situations, to pam_sm_chauthtok(3PAM), but
> if so it must: a) return PAM_SUCCESS from its
> pam_sm_authenticate(3PAM) _AND_ b) return PAM_NEW_AUTHTOK_REQD from
> its pam_sm_acct_mgmt(3PAM).
[...]
> If anyone has any questions regarding our setup I'll do my best to
> answer them. We're hoping someone can duplicate the problem and we're
> willing to test any fixes/patches that come up.
What do the PAM config files look like? Can you provide sshd debug output?
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list