Possible security flaw in OpenSSH and/or pam_krb5
Nicolas Williams
Nicolas.Williams at sun.com
Fri Jun 10 02:19:40 EST 2005
On Thu Jun 9 09:58:11 2005, Darren Tucker wrote:
> Further to this: I just did a quick test by overriding the return code
> of pam_acct_mgmt() with PAM_NEW_AUTHTOK_REQD, which resulted in the
> following behaviour or similar for at least v2+password, v2+pubkey and
> v1+tis authentications.
>
> $ ssh -p 2022 localhost
> Last login: Thu Jun 9 09:42:43 2005 from localhost
> debug3: channel 0: close_fds r -1 w -1 e -1 c -1
> WARNING: Your password has expired.
> You must change your password now and login again!
> Changing password for user dtucker.
> Changing password for dtucker
> (current) UNIX password:
While I can see how you can make this behaviour not be insecure, it is
clearly not ideal: it works only if the user was trying to open a pty
channel, otherwise the client's requests fail or, if the client wanted
only to do local port forwarding, then the client might wait a long time
to find out that something went wrong with user authentication.
The SSHv2 protocol provides for a much cleaner way to do this: force use
of keyboard-interactive userauth and let PAM drive keyboard-interactive
to change the user's expired password.
> (this is the output from "passwd", however for protocol 2 +
> keyboard-interactive, or privsep=no for any combination of protocol and
> authentication, the change will be done via pam_chauthtok().)
But will the call to pam_chauthtok() happen in the context of
keyboard-interactive userauth? Or does it still require a pty channel?
Nico
--
More information about the openssh-unix-dev
mailing list