openssh unix dev - Jun 2005 - Possible security flaw in OpenSSH and/or pam_krb5

openssh-unix-dev at mindrot.org
kerberos at ncsa.uiuc.edu

We believe there is a security flaw in either OpenSSH and/or RedHat's
pam_krb5
module.  When a Kerberos principal has the REQUIRES_PWCHANGE
(+needchange) flag set, OpenSSH+pam_krb5 will still successfully
authenticate the user.  Local 'su' and 'login' fail in this case
which
leads us to believe it's at least partially a problem with OpenSSH's
PAM code.

We first noticed this flaw on SLES8 and verified the same problem on
RedHat 9 and RHEL 3.

RedHat 9                                pam_krb5-1.60-1
RedHat Enterprise Linux AS 3 Update 5   pam_krb5-1.75-1
SuSE SLES 8                             pam_krb5-1.0.3-199

Most of my work has been with RedHat 9 and I see the problem with
OpenSSH versions 3.7.1p2, 3.8.1p1, and 4.1p1.

Typically we try not to use pam_krb5, opting for native kerberos
authentication wherever possible. However, the ramification of this
problem is that accounts can still be used after we've 'expired'
them
on the KDCs.

Last week (when we still thought it was solely a pam_krb5 issue) we
sent an email to some of the vendors.  The only one who responded was
Nicolas Williams from Sun who has been very helpful.  I'm not very
familiar with how PAM works or the OpenSSH codebase for that matter,
so I'm including some of his tips in case it helps in the
investigation of the problem:

------------------------------------------
 - If the application is not calling, or ignoring non-success return
   values of pam_acct_mgmt() yet still allowing access to the account,
   then the application has a gaping hole and is at fault.

 - A PAM module may defer authentication and authorization, in
   password-change-required situations, to pam_sm_chauthtok(3PAM), but
   if so it must: a) return PAM_SUCCESS from its
   pam_sm_authenticate(3PAM) _AND_ b) return PAM_NEW_AUTHTOK_REQD from
   its pam_sm_acct_mgmt(3PAM).

   Kerberos V and LDAP BIND type modules typically do this.

   If it does otherwise then it will either not support password aging
   or sport a gaping security hole.

    - Such modules' account modules must be configured as required or
      requisite or binding.

    - Care must be taken not to configure PAM account stacks in such a
      way that another sufficient or binding module may preempt calls to
      pam_sm_acct_mgmt(3PAM) entry points of modules such as pam_krb5.

------------------------------------------

We have not tested OpenSSH with PAM under Solaris.

If anyone has any questions regarding our setup I'll do my best to
answer them.  We're hoping someone can duplicate the problem and we're
willing to test any fixes/patches that come up.

Thanks,
Mike

---------------------------------------------------
Mike Dopheide                dopheide at ncsa.uiuc.edu
System Engineer                Phone:  217.244.0299
NCSA, University of Illinois     Fax:  217.244.1987

I can't comment on the Kerberos aspects, but as far as sshd's PAM 
interface goes:

Mike Dopheide wrote:
[...]
>  - If the application is not calling, or ignoring non-success return
>    values of pam_acct_mgmt() yet still allowing access to the account,
>    then the application has a gaping hole and is at fault.
sshd calls pam_acct_mgmt (via auth{1,2}.c -> auth-pam.c:do_pam_account). 
  If it returns PAM_NEW_AUTHTOK_REQD, sshd forces a password change, 
either via keyboard-interactive or once the session starts.

You can check what the PAM stack is returning by running sshd in debug 
mode and checking for the line "PAM: do_pam_account pam_acct_mgmt =
x".
>  - A PAM module may defer authentication and authorization, in
>    password-change-required situations, to pam_sm_chauthtok(3PAM), but
>    if so it must: a) return PAM_SUCCESS from its
>    pam_sm_authenticate(3PAM) _AND_ b) return PAM_NEW_AUTHTOK_REQD from
>    its pam_sm_acct_mgmt(3PAM).
[...]
> If anyone has any questions regarding our setup I'll do my best to
> answer them.  We're hoping someone can duplicate the problem and
we're
> willing to test any fixes/patches that come up.
What do the PAM config files look like?  Can you provide sshd debug output?

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.