Possible security flaw in OpenSSH and/or pam_krb5
Mike Dopheide
dopheide at ncsa.uiuc.edu
Thu Jun 9 14:11:54 EST 2005
Darren,
Thanks for taking the time to investigate this. I've attached the
requested debugging info, but I've also made a little bit of forward
progress.
In the sshd PAM file you'll see the following line:
account [default=bad success=ok user_unknown=ignore service_err=ignore
system_err=ignore] /lib/security/$ISA/pam_krb5afs.so
By including this line I am asked to change my password. As expected PAM
first asks to change the Unix password and then for some reason it asks to
change the Kerberos 5 password twice. (As a side note, it ends up setting
an /etc/shadow entry during one of these times it's changing my "Current
Kerbero 5 Password". That shouldn't have happened either and it confused
me for about an hour.)
Without this line the debug output shows (attached sshd.debug):
debug3: PAM: do_pam_account pam_acct_mgmt = 0 (Success)
With this line, we see (attached sshd.debug2):
debug3: PAM: do_pam_account pam_acct_mgmt = 12 (Authentication token is no
longer valid; new one required.)
In both of these cases pam_krb5 debug messages show:
Jun 8 22:42:54 quercus sshd[2510]: pam_krb5: get_int_tkt returned
Password has expired
(Side note 2, I could never get pam_krb5 to write debug messages with it's
'debug' option in the PAM config file. I ended up hard coding the DEBUG
#define.)
So I guess maybe all of this is just a misunderstanding of how to
configure the PAM stack, but it seems broken to me that the default
behavior for an expired principal is to succeed at authenticating.
Confused,
Mike
PS. You'll notice from the sshd_config and debug output that our sshd is
patched to support native kerberos authentication with GSSAPI, but that
shouldn't have any bearing on the PAM issues.
> > You can check what the PAM stack is returning by running sshd in debug
> > mode and checking for the line "PAM: do_pam_account pam_acct_mgmt = x".
>
> Further to this: I just did a quick test by overriding the return code
> of pam_acct_mgmt() with PAM_NEW_AUTHTOK_REQD, which resulted in the
> following behaviour or similar for at least v2+password, v2+pubkey and
> v1+tis authentications.
>
> $ ssh -p 2022 localhost
> Last login: Thu Jun 9 09:42:43 2005 from localhost
> debug3: channel 0: close_fds r -1 w -1 e -1 c -1
> WARNING: Your password has expired.
> You must change your password now and login again!
> Changing password for user dtucker.
> Changing password for dtucker
> (current) UNIX password:
>
> (this is the output from "passwd", however for protocol 2 +
> keyboard-interactive, or privsep=no for any combination of protocol and
> authentication, the change will be done via pam_chauthtok().)
>
> Could you please provide your sshd_config, PAM config and debug output
> from sshd -ddd ? Which non-kerberos authentication are you using?
>
>
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: debug.tar.gz
Type: application/x-gzip
Size: 7875 bytes
Desc:
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20050608/6de6b789/attachment.bin
More information about the openssh-unix-dev
mailing list