[2874] in Kerberos-V5-bugs
krb5-clients/545: ksu bug
daemon@ATHENA.MIT.EDU (vwelch@ncsa.uiuc.edu)
Wed Feb 4 16:53:31 1998
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, vwelch@ncsa.uiuc.edu
Date: Wed, 4 Feb 1998 15:52:37 -0600
From: vwelch@ncsa.uiuc.edu
Reply-To: vwelch@ncsa.uiuc.edu
To: krb5-bugs@MIT.EDU
Cc: vwelch@ncsa.uiuc.edu
>Number: 545
>Category: krb5-clients
>Synopsis: Under certain conditions ksu doesn't check host ticket in ccache for expiration
>Confidential: yes
>Severity: serious
>Priority: high
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Feb 04 16:53:01 EST 1998
>Last-Modified:
>Originator: Von Welch
>Organization:
------------------------------------------------------------------------
Von Welch Senior Network Engineer vwelch@ncsa.uiuc.edu
National Center for Supercomputing Applications
------------------------------------------------------------------------
>Release: krb5-1.0.4
>Environment:
System: SunOS computer.ncsa.uiuc.edu 5.4 Generic_101945-29 sun4m sparc
Affects all OS's.
>Description:
If ksu is run so that it uses the current ccache as the target (i.e.
"ksu -C ."), the fast_auth function will check the cache for a host
ticket, but does not check to see if the ticket has expired. This will
result in it authenticating a user based on an expired ticket,
And yes, I'm accounting for the clock slew. You can use a ticket that
expired days ago.
I believe it works with the '-C .' option because this causes ksu not
to copy the cache, which normally filters out expired credentials.
>How-To-Repeat:
1) Put yourself in root's .k5login
2) Get a tgt with a 1 minute lifetime
3) Get a ticket for the local host (e.g. run ksu and then exit
the resulting shell).
4) Wait and let your credentials expire
5) run "ksu -C ." and ksu will let you become root based on the expired
tickets.
>Fix:
The following patch has ksu check the expiration time on the tickets
it gets from the ccache.
Index: krb_auth_su.c
===================================================================
RCS file: /afs/ncsa/src/kerberos/NRL_CVSROOT/krb5/clients/ksu/krb_auth_su.c,v
retrieving revision 1.1.1.1
diff -c -r1.1.1.1 krb_auth_su.c
*** krb_auth_su.c 1997/06/02 21:54:51 1.1.1.1
--- krb_auth_su.c 1998/02/04 21:14:10
***************
*** 341,347 ****
return(retval);
}
!
if (!krb5_principal_compare(context, client, tkt->enc_part2->client)) {
krb5_free_ticket(context, tkt);
--- 341,357 ----
return(retval);
}
! /* Check to make sure ticket hasn't expired */
! if (retval = krb5_check_exp(context, tkt->enc_part2->times)) {
! if (auth_debug && (retval == KRB5KRB_AP_ERR_TKT_EXPIRED)) {
! fprintf(stderr,
! "krb5_verify_tkt_def: ticket has expired");
! }
! krb5_free_ticket(context, tkt);
! krb5_kt_free_entry(context, &ktentry);
! krb5_free_keyblock(context, tkt_key);
! return KRB5KRB_AP_ERR_TKT_EXPIRED;
! }
if (!krb5_principal_compare(context, client, tkt->enc_part2->client)) {
krb5_free_ticket(context, tkt);
>Audit-Trail:
>Unformatted:
