[2590] in Kerberos-V5-bugs

home help back first fref pref prev next nref lref last post

pending/306: ksu

daemon@ATHENA.MIT.EDU (Richard Basch)
Wed Dec 18 23:53:20 1996

Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: gnats-admin@rt-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, "Richard Basch" <basch@lehman.com>
Date: Wed, 18 Dec 1996 23:51:58 -0500
From: "Richard Basch" <basch@lehman.com>
To: krb5-bugs@MIT.EDU


>Number:         306
>Category:       pending
>Synopsis:       ksu
>Confidential:   yes
>Severity:       serious
>Priority:       medium
>Responsible:    gnats-admin
>State:          open
>Class:          sw-bug
>Submitter-Id:   unknown
>Arrival-Date:   Wed Dec 18 23:53:00 EST 1996
>Last-Modified:
>Originator:
>Organization:
>Release:
>Environment:
>Description:
>How-To-Repeat:
>Fix:
>Audit-Trail:
>Unformatted:
Note:
I have not tested the following in awhile, but the code path looks like
the condition still exists...

Problem:
If a user obtains credentials, with kinit, and then accesses the local
host such that they have a credential for the local machine (perhaps
login acquires one... it doesn't matter...), and then the credentials
expire, ksu should prompt for a password.  However, ksu blindly trusts
the expired credentials.  Looking at krb_auth_su.c, krb5_auth_check()
will check the credential expiration time.  However, the function will
first call krb5_fast_auth to see if there are existing credentials that
decode properly and if there are, it will return success.  Using that
code path, krb5_check_exp() is not called, thereby permitting expired
credentials to function.


Richard Basch                   
Sr. Developer/Analyst, DSO      URL: http://web.mit.edu/basch/www/home.html
Lehman Brothers, Inc.           Email: basch@lehman.com, basch@mit.edu
101 Hudson St., 38th Floor      Fax:   +1-201-524-5828
Jersey City, NJ 07302-3988      Voice: +1-201-524-5049


home help back first fref pref prev next nref lref last post