Possible security flaw in OpenSSH and/or pam_krb5
Nicolas Williams
Nicolas.Williams at sun.com
Fri Jun 10 02:36:40 EST 2005
On Thu Jun 9 14:49:57 2005, Darren Tucker wrote:
> Mike Dopheide wrote:
> > By including this line I am asked to change my password. As expected PAM
> > first asks to change the Unix password and then for some reason it asks to
> > change the Kerberos 5 password twice.
>
> Regarding the double password request: I see you're using
> keyboard-interactive. I suspect it's another manifestation of bug #688:
> the process where you authenticate exits, taking pam_krb5's private
> stash of data with it. When sshd later calls pam_chauthtok() pam_krb5
> has to reestablish it.
Pretty much all PAM calls for a given login attempt and session have to
be executed with the same PAM handle, in the same process, and with all
privileges. That's just how PAM works.
I figure this answers my question in my other reply -- sshd must be
calling pam_chauthtok() in the context of a pty channel, in a child
process or something like that, rather than in the context of
keyboard-interactive userauth.
> That's just how PAM works: you don't get to know about things like
> password expiry until later. A module could potentially force a change
> during pam_authenticate via the conversation mechanism before allowing
> the authentication to succeed, however that would break things
> (including sshd's PasswordAuthentication via PAM).
I agree that this is an obnoxious feature of PAM. I'm thinking about
how we could make it better, but for the time being, that's how it is.
However, this does not excuse sshd, or any other application, not
handling PAM properly (see above). When pam_acct_mgmt() returns
PAM_NEW_AUTHTOK_REQD while processing userauths other than
keyboard-interactive sshd should force failure of the current userauth
and then indicate that only keyboard-interactive userauth may continue.
When the client tries keyboard-interactive start PAM processing from
scratch, call pam_authenticate(), pam_acct_mgmt() and, if it
returns PAM_NEW_AUTHTOK_REQD, call pam_chauthtok(), then pam_setcred(),
then pam_open_session(), only then can SSH userauth be considered
complete.
Nico
--
More information about the openssh-unix-dev
mailing list