Possible security flaw in OpenSSH and/or pam_krb5

Mike Dopheide dopheide at ncsa.uiuc.edu
Thu Jun 9 05:51:18 EST 2005 

openssh-unix-dev at mindrot.org
kerberos at ncsa.uiuc.edu

We believe there is a security flaw in either OpenSSH and/or RedHat's pam_krb5
module.  When a Kerberos principal has the REQUIRES_PWCHANGE
(+needchange) flag set, OpenSSH+pam_krb5 will still successfully
authenticate the user.  Local 'su' and 'login' fail in this case which
leads us to believe it's at least partially a problem with OpenSSH's
PAM code.

We first noticed this flaw on SLES8 and verified the same problem on
RedHat 9 and RHEL 3.

RedHat 9                                pam_krb5-1.60-1
RedHat Enterprise Linux AS 3 Update 5   pam_krb5-1.75-1
SuSE SLES 8                             pam_krb5-1.0.3-199

Most of my work has been with RedHat 9 and I see the problem with
OpenSSH versions 3.7.1p2, 3.8.1p1, and 4.1p1.

Typically we try not to use pam_krb5, opting for native kerberos
authentication wherever possible. However, the ramification of this
problem is that accounts can still be used after we've 'expired' them
on the KDCs.

Last week (when we still thought it was solely a pam_krb5 issue) we
sent an email to some of the vendors.  The only one who responded was
Nicolas Williams from Sun who has been very helpful.  I'm not very
familiar with how PAM works or the OpenSSH codebase for that matter,
so I'm including some of his tips in case it helps in the
investigation of the problem:

------------------------------------------
 - If the application is not calling, or ignoring non-success return
   values of pam_acct_mgmt() yet still allowing access to the account,
   then the application has a gaping hole and is at fault.

 - A PAM module may defer authentication and authorization, in
   password-change-required situations, to pam_sm_chauthtok(3PAM), but
   if so it must: a) return PAM_SUCCESS from its
   pam_sm_authenticate(3PAM) _AND_ b) return PAM_NEW_AUTHTOK_REQD from
   its pam_sm_acct_mgmt(3PAM).

   Kerberos V and LDAP BIND type modules typically do this.

   If it does otherwise then it will either not support password aging
   or sport a gaping security hole.

    - Such modules' account modules must be configured as required or
      requisite or binding.

    - Care must be taken not to configure PAM account stacks in such a
      way that another sufficient or binding module may preempt calls to
      pam_sm_acct_mgmt(3PAM) entry points of modules such as pam_krb5.

------------------------------------------

We have not tested OpenSSH with PAM under Solaris.

If anyone has any questions regarding our setup I'll do my best to
answer them.  We're hoping someone can duplicate the problem and we're
willing to test any fixes/patches that come up.

Thanks,
Mike

---------------------------------------------------
Mike Dopheide                dopheide at ncsa.uiuc.edu
System Engineer                Phone:  217.244.0299
NCSA, University of Illinois     Fax:  217.244.1987

More information about the openssh-unix-dev mailing list