Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) X-RT-Original-Encoding: iso-8859-1 Content-Length: 3734 From Kerry.Thompson@airnz.co.nz Wed Feb 2 23:01:31 2000 Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.mit.edu (8.9.3/8.9.3) with SMTP id XAA20332 for ; Wed, 2 Feb 2000 23:01:29 -0500 (EST) Received: from aklip01u.airnz.co.nz by MIT.EDU with SMTP id AA04669; Wed, 2 Feb 00 23:02:38 EST Received: (from uucp@localhost) by aklip01u.airnz.co.nz (8.9.1a/8.9.1) id RAA23989 for ; Thu, 3 Feb 2000 17:01:24 +1300 (NZDT) Received: from unknown(10.65.16.76) by aklip01u.airnz.co.nz via smap (V5.0) id xma023942; Thu, 3 Feb 00 17:00:57 +1300 Received: from aklis04w.airnz.co.nz (aklis04w.airnz.co.nz [10.65.16.156]) by aklndcvu.airnz.co.nz (8.9.1a/8.9.1) with SMTP id RAA14220 for ; Thu, 3 Feb 2000 17:00:53 +1300 (NZDT) Received: from aklex05w.airnz.co.nz (10.65.20.80) by aklis04w.airnz.co.nz Thursday, February 03, 2000 16:58:43 Received: by aklex05w.airnz.co.nz with Internet Mail Service (5.5.2650.10) id ; Thu, 3 Feb 2000 17:00:35 +1300 Message-Id: Date: Thu, 3 Feb 2000 17:00:33 +1300 From: "Thompson, Kerry" To: "'krb5-bugs@mit.edu'" Subject: Bug? - forwarding tickets to telnetd/login.krb5 allows root acces s >Number: 820 >Category: krb5-appl >Synopsis: Bug? - forwarding tickets to telnetd/login.krb5 allows root acces >Confidential: yes >Severity: serious >Priority: medium >Responsible: krb5-unassigned >State: open >Class: sw-bug >Submitter-Id: unknown >Arrival-Date: Wed Feb 2 23:02:01 EST 2000 >Last-Modified: Tue Feb 22 16:32:31 EST 2000 >Originator: "Thompson, Kerry" >Organization: >Release: >Environment: >Description: s Chaps When I use 'telnet -Fa' to forward my credentials to the destination host and auto-authenticate, I end up with root access ( whether my principal is in /.k5login or not ). This could be a problem in some installations. This seems to be a new problem in krb5 1.1.0, it wasn't occurring in 1.0.5. In fact, installing the older 1.0.5 login.krb5 program seems to fix the problem. aklndcwu: aklndcwu: aklndcwu: aklndcwu: aklndcwu: id uid=106(xthomk) gid=101(security) aklndcwu: aklndcwu: kdestroy aklndcwu: kinit -f Password for xthomk@AIRNZ.CO.NZ: aklndcwu: telnet -Fa aklia02u Trying 10.65.35.40... Connected to aklia02u.airnz.co.nz (10.65.35.40). Escape character is '^]'. [ Kerberos V5 accepts you as ``xthomk@AIRNZ.CO.NZ'' ] [ Kerberos V5 accepted forwarded credentials ] Sun Microsystems Inc. SunOS 5.6 Loaded : Mon Nov 1 17:37:13 NZDT 1999 aklia02u: id uid=0(root) gid=101(security) aklia02u: cat /.k5login nobody@AIRNZ.CO.NZ aklia02u: -- Kerry Thompson Air NZ Border Management _____________________________________________________________________ CAUTION - This message may contain privileged and confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby notified that any use, dissemination, distribution or reproduction of this message is prohibited. If you have received this message in error please notify Air New Zealand immediately. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of Air New Zealand. _____________________________________________________________________ >How-To-Repeat: >Fix: >Audit-Trail: Responsible-Changed-From-To: gnats-admin->krb5-unassigned Responsible-Changed-By: raeburn Responsible-Changed-When: Tue Feb 22 16:32:21 2000 Responsible-Changed-Why: Reformat, fix category. >Unformatted: