bugzilla-daemon at mindrot.org
2005-Aug-25 20:49 UTC
[Bug 1073] if userok rejects a user their creds still get set
http://bugzilla.mindrot.org/show_bug.cgi?id=1073
Summary: if userok rejects a user their creds still get set
Product: Portable OpenSSH
Version: 3.9p1
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: Kerberos support
AssignedTo: bitbucket at mindrot.org
ReportedBy: paul.moore at centrify.com
Tested on 3.9p1 - code inspection shows the same issue in 4.x
I have gss_auth setup on both ends. Works fine. I decide that I need to ssh to
the server as a differnet user.
So I do ssh notme@<host>
Then
a) I get prompted for a password for notme and log in ok
b) the credential cache is set to krb5cc_<uid>_xxxx and is loaded my
originating credentials, even though I am not logged on as that principal
This is very surprising
The reason is that kuserok is called right at the end of auth, the creds have
been forwarded and sshd is ready to set up the logged in users' envirnment;
ten
right at the last moment we decide not to allow gss to work - but sshd still
stores the creds it has
one line fix to this. In ssh_gssapi_krb5_userok, after failure do
krb5_free_creds(krb_context, client->creds);
this blows the forwarded creds away and so storecreds (called later ) does
nothing
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Aug-26 18:29 UTC
[Bug 1073] if userok rejects a user their creds still get set
http://bugzilla.mindrot.org/show_bug.cgi?id=1073 ------- Additional Comments From simon at sxw.org.uk 2005-08-27 04:29 ------- Created an attachment (id=951) --> (http://bugzilla.mindrot.org/attachment.cgi?id=951&action=view) Delete delegated credentials if userok call fails ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Aug-26 18:30 UTC
[Bug 1073] if userok rejects a user their creds still get set
http://bugzilla.mindrot.org/show_bug.cgi?id=1073 ------- Additional Comments From simon at sxw.org.uk 2005-08-27 04:30 ------- Unfortunately, you can't (safely and portably) just call krb5_free_creds on the client->creds structure, as its a pointer to a GSSAPI structure, which will not necessarily be the same (or managed by the same allocator) as the underlying Kerberos one. I believe that the attached patch should solve the problem. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Aug-28 13:38 UTC
[Bug 1073] if userok rejects a user their creds still get set
http://bugzilla.mindrot.org/show_bug.cgi?id=1073
simon at sxw.org.uk changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |simon at sxw.org.uk
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Aug-29 11:08 UTC
[Bug 1073] if userok rejects a user their creds still get set
http://bugzilla.mindrot.org/show_bug.cgi?id=1073 ------- Additional Comments From djm at mindrot.org 2005-08-29 21:08 ------- (From update of attachment 951)>+ gss_release_buffer(&lmin, &gssapi_client.displayname); >+ gss_release_buffer(&lmin, &gssapi_client.exportedname); >+ gss_release_cred(&lmin, gssapi_client.creds);shouldn't that be &gssapi_client.creds? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Aug-29 11:19 UTC
[Bug 1073] if userok rejects a user their creds still get set
http://bugzilla.mindrot.org/show_bug.cgi?id=1073 ------- Additional Comments From djm at mindrot.org 2005-08-29 21:18 ------- Created an attachment (id=952) --> (http://bugzilla.mindrot.org/attachment.cgi?id=952&action=view) Fix arg to gss_release_cred Like this ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Aug-29 11:34 UTC
[Bug 1073] if userok rejects a user their creds still get set
http://bugzilla.mindrot.org/show_bug.cgi?id=1073
simon at sxw.org.uk changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #951 is|0 |1
obsolete| |
------- Additional Comments From simon at sxw.org.uk 2005-08-29 21:34 -------
(From update of attachment 951)
Indeed it should be - good catch. Obsoleting older patch.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Aug-30 22:07 UTC
[Bug 1073] if userok rejects a user their creds still get set
http://bugzilla.mindrot.org/show_bug.cgi?id=1073
djm at mindrot.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
------- Additional Comments From djm at mindrot.org 2005-08-31 08:07 -------
Fix applied, will be in the imminent release (4.2)
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.