pam_krb5 & kdm: local root compromise (or misconfiguration?)
Hello list, in the process of installing Suse 8.1Prof I am configuring all workstations to authenticate against a kerberos 5 server, using ldap for directory services. I stumbled about something which looks to me like a very dangerous security hole, but maybe I did some blatant misconfiguration (in that case I would be more than thankful if someone could point it out to me). Configuration: - using nss_ldap for users and groups - /etc/krb5.conf configured for our realm - created host principal for workstation and added to /etc/krb5.keytab - inserted "auth sufficient pam_krb5.so debug" line to the beginning of /etc/pam.d/xdm, according lines for "account" and "session" The problem goes as follows: - user logs in via kdm - tickets are obtained and validated from kdc - credentials cache file /tmp/krb5cc_0 (!) is created and KRB5CCNAME set accordingly for the session - user logs out, but credentials file is *not* deleted - log in as a different (!) user - tickets are obtained and validated from kdc - cc file /tmp/krb5cc_0 already exists, and cannot be written (according to logs, pam_krb5 module returns 'error in service module') - error return is discarded, login continues and all processes strangely start up with root privileges I think the naming of the cc file (krb5cc_0) is already indicative that root privileges are retained for too long. Furthermore the fact that the cc file is not correctly removed on logout is already a security concern in itself. Additional info: - sshd behaves correctly, i.e. the cc file is named /tmp/krb5cc_{uid}, and it is removed after logout - gdm behaves semi-correctly, i.e. the cc file is named /tmp/krb5cc_0, it is removed after logout, and the case of an existing unwritable cache file is treated by refusing login (of course this still qualifies a DoS attack against the workstation) - maybe part of the problem is related to an incorrect ordering of pam calls inside kdm (in fact I had posted a bug report about something similiar three years ago, I wonder if it still has not fixed ?) Can someone reproduce or comment on this? I can provide additional info, complete log- and configuration-files on request. Regards -- Helge Bahmann <bahmann@math.tu-freiberg.de> /| \__ The past: Smart users in front of dumb terminals /_|____\ _/\ | __) $ ./configure \\ \|__/__| checking whether build environment is sane... yes \\/___/ | checking for AIX... no (we already did this) |
On Fri, Dec 06, 2002 at 07:21:42PM +0100, Helge Bahmann wrote:
- tickets are obtained and validated from kdc - credentials cache file /tmp/krb5cc_0 (!) is created and KRB5CCNAME set accordingly for the session
You should check the README that comes with our pam_krb5 RPM. It describes how to use separate cc files for all sessions.
- user logs out, but credentials file is *not* deleted
That is probably a bug in kdm. It should call PAM to close the session but apparently doesn't.
- error return is discarded, login continues and all processes strangely start up with root privileges
That is a bug indeed, possibly in kdm as well. I will look into this. Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann
Hello Olaf, thanks for your quick response. On Fri, 6 Dec 2002 Olaf Kirch assaulted the keyboard and produced:
On Fri, Dec 06, 2002 at 07:21:42PM +0100, Helge Bahmann wrote:
- tickets are obtained and validated from kdc - credentials cache file /tmp/krb5cc_0 (!) is created and KRB5CCNAME set accordingly for the session
You should check the README that comes with our pam_krb5 RPM. It describes how to use separate cc files for all sessions.
you are referring to the ccache parameter? yes I know, I'm using it; but since the cc file names are still quite easily guessable, the possibility of the root compromise remains (unless there is some misconfiguration on my part, which I'm still not sure about -- the behvior is just too strange). Will try to produce some more information. Best regards -- Helge Bahmann <bahmann@math.tu-freiberg.de> /| \__ The past: Smart users in front of dumb terminals /_|____\ _/\ | __) $ ./configure \\ \|__/__| checking whether build environment is sane... yes \\/___/ | checking for AIX... no (we already did this) |
participants (2)
-
Helge Bahmann -
Olaf Kirch