Skip Menu |
 

Download (untitled) / with headers
text/plain 11.7KiB
From sean@mail.tgd.net Sat Jan 26 18:59:13 2002
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76])
by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id SAA27153
for <bugs@RT-11.mit.edu>; Sat, 26 Jan 2002 18:59:12 -0500 (EST)
Received: from mail.tgd.net (mail.tgd.net [209.81.25.10])
by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id SAA01898
for <krb5-bugs@mit.edu>; Sat, 26 Jan 2002 18:59:12 -0500 (EST)
Received: by mail.tgd.net (Postfix, from userid 1001)
id 8375220F0A; Sat, 26 Jan 2002 15:59:11 -0800 (PST)
Message-Id: <20020126235911.8375220F0A@mail.tgd.net>
Date: Sat, 26 Jan 2002 15:59:11 -0800 (PST)
From: sean@chittenden.org
Reply-To: sean@chittenden.org
To: krb5-bugs@mit.edu
Subject: telnet sets the key cache to UID/GID 0 for non-UID 0 users
X-Send-Pr-Version: 3.99

Show quoted text
>Number: 1046
>Category: telnet
>Synopsis: telnet sets the key cache to UID/GID 0 for non-UID 0 users
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: hartmans
>State: analyzed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Sat Jan 26 19:00:00 EST 2002
>Last-Modified: Mon Apr 22 17:19:00 EDT 2002
>Originator: Sean Chittenden
>Organization:

Show quoted text
>Release: krb5-1.2.3
>Environment:

System: FreeBSD ninja1.internal 4.5-RC FreeBSD 4.5-RC #0: Thu Jan 10 14:10:58 PST 2002 root@ninja1.internal:/opt/obj/opt/src/sys/NINJA i386


Show quoted text
>Description:
I just upgraded from 1.2.2 to 1.2.3 and when I telnet to a system using
kerberos (telnet -axF) I am granted access to the system, however
my key cache on the remote system is set to UID/GID 0:0 and I can't
ksu to root. I didn't see anything in the release notes.
Show quoted text
>How-To-Repeat:
> kinit
Password for sean@INTERNAL:
sean@ninja1:~ > /usr/local/bin/telnet -axF lan.internal
Trying 192.168.1.253...
Connected to lan.internal (192.168.1.253).
Escape character is '^]'.
Waiting for encryption to be negotiated...
[ Kerberos V5 accepts you as ``sean@INTERNAL'' ]
[ Kerberos V5 accepted forwarded credentials ]
done.
Last login: Sat Jan 26 15:10:30 from ninja1
sean@lan:~ > ls -lA /tmp/krb5*
-rw------- 1 root wheel 423 Jan 26 15:52 /tmp/krb5cc_p55699
3:53pm sean@lan:~ > ksu
ksu: Credentials cache permissions incorrect while opening ccache
sean@lan:~ > grep telnetd /etc/inetd.conf
telnet stream tcp nowait root /usr/local/sbin/telnetd telnetd -a valid
sean@lan:~ > exit
Connection closed by foreign host.
sean@ninja1:~ > /usr/local/bin/telnet -axF -l root lan.internal
Trying 192.168.1.253...
Connected to lan.internal (192.168.1.253).
Escape character is '^]'.
Waiting for encryption to be negotiated...
[ Kerberos V5 accepts you as ``sean@INTERNAL'' ]
[ Kerberos V5 accepted forwarded credentials ]
done.
Last login: Sat Jan 26 15:53:00 from ninja1
3:55pm root@lan:~ #

Show quoted text
>Fix:
man 2 chown
#include <unistd.h>
int chown(const char *path, uid_t owner, gid_t group);
Show quoted text
>Audit-Trail:

State-Changed-From-To: open-analyzed
State-Changed-By: tlyu
State-Changed-When: Tue Jan 29 15:33:57 2002
State-Changed-Why:


From: Tom Yu <tlyu@MIT.EDU>
To: sean@chittenden.org
Cc: krb5-bugs@MIT.EDU
Subject: Re: telnet/1046: telnet sets the key cache to UID/GID 0 for non-UID 0 users
Date: Tue, 29 Jan 2002 15:33:50 -0500 (EST)

Are you sure you changed nothing else while upgrading? We didn't
change any of the ccache-rewriting code between 1.2.2 and 1.2.3. Does
reverting to 1.2.2 cause the problem to go away?

---Tom

From: Sam Hartman <hartmans@MIT.EDU>
To: sean@chittenden.org
Cc: krb5-bugs@MIT.EDU
Subject: Re: telnet/1046: telnet sets the key cache to UID/GID 0 for non-UID 0 users
Date: Tue, 16 Apr 2002 14:55:34 -0400 (EDT)

Hi. Do you see any errors being syslogged by telnetd or login.krb5?

Also, does the problem go away if you set v4_convert to false in
/etc/krb5.conf in the login stanza? I tried to reproduce your problem
and failed.


From: Sean Chittenden <sean@chittenden.org>
To: Sam Hartman <hartmans@MIT.EDU>
Cc: krb5-bugs@MIT.EDU
Subject: Re: telnet/1046: telnet sets the key cache to UID/GID 0 for non-UID 0 users
Date: Thu, 18 Apr 2002 16:59:58 -0700

--1yeeQ81UyVL57Vl7
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Show quoted text
> Hi. Do you see any errors being syslogged by telnetd or login.krb5?
>=20
> Also, does the problem go away if you set v4_convert to false in
> /etc/krb5.conf in the login stanza? I tried to reproduce your
> problem and failed.

I have an almost empty krb5.conf file:

[libdefaults]
ticket_lifetime =3D 6000
default_realm =3D EXAMPLE.COM
default_tkt_enctypes =3D des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes =3D des3-hmac-sha1 des-cbc-crc

[realms]
EXAMPLE.COM =3D {
kdc =3D kerberos.internal:88
admin_server =3D kerberos.internal:749
default_domain =3D internal
}

[domain_realm]
.internal =3D EXAMPLE.COM
internal =3D EXAMPLE.COM
.tgd.net =3D EXAMPLE.COM
tgd.net =3D EXAMPLE.COM

[logging]
kdc =3D FILE:/var/log/krb5kdc.log
admin_server =3D FILE:/var/log/kadmin.log
default =3D FILE:/var/log/krb5lib.log


# From my /etc/inetd.conf
telnet stream tcp nowait root /usr/local/sbin/telnetd tel=
netd -a valid


And here's a sample session:

Show quoted text
> kinit
Password for user@EXAMPLE.COM:=20
Show quoted text
> telnet -axF host2
Trying 192.168.1.11...
Connected to host2.internal (192.168.1.11).
Escape character is '^]'.
Waiting for encryption to be negotiated...
[ Kerberos V5 accepts you as ``user@EXAMPLE.COM'' ]
[ Kerberos V5 accepted forwarded credentials ]
done.
Last login: Thu Apr 18 16:51:31 from ninja1
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.

Show quoted text
> env |grep krb
KRB5CCNAME=3DFILE:/tmp/krb5cc_p27004
Show quoted text
> ls -l /tmp/krb5cc_p27004=20
-rw------- 1 root wheel 419 Apr 18 16:54 /tmp/krb5cc_p27004
Show quoted text
> kinit
Password for user@EXAMPLE.COM:=20
kinit(v5): Internal credentials cache error when initializing cache=20
Show quoted text
> ls -lA /tmp/krb5cc_p27004
-rw------- 1 root wheel 419 Apr 18 16:54 /tmp/krb5cc_p27004
Show quoted text
> uname -s -r
FreeBSD 4.5-STABLE

Kerberos version 1.2.3. I've been looking at the commits and haven't
seen anything to suggest that this has been fixed. What other
information do you want/need? -sc

--=20
Sean Chittenden

--1yeeQ81UyVL57Vl7
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Comment: Sean Chittenden <sean@chittenden.org>

iEYEARECAAYFAjy/Xf4ACgkQn09c7x7d+q3kGACeIWib610U11SaWnONtal2jmCg
gcEAoMPD4dulGMyJxuTQ+DM5XEztU58w
=up/5
-----END PGP SIGNATURE-----

--1yeeQ81UyVL57Vl7--

From: Sam Hartman <hartmans@MIT.EDU>
To: Sean Chittenden <sean@chittenden.org>
Cc: krb5-bugs@MIT.EDU
Subject: Re: telnet/1046: telnet sets the key cache to UID/GID 0 for non-UID
0 users
Date: Fri, 19 Apr 2002 11:44:47 -0400

As I indicated in my original mail I need any syslog messages that are
logged.

From: Sean Chittenden <sean@chittenden.org>
To: Sam Hartman <hartmans@mit.edu>
Cc: krb5-bugs@mit.edu
Subject: Re: telnet/1046: telnet sets the key cache to UID/GID 0 for non-UID 0 users
Date: Fri, 19 Apr 2002 12:16:27 -0700

Show quoted text
> As I indicated in my original mail I need any syslog messages that
> are logged.

I don't see how this'll help, but I'm game. On the KDC when I do a
kinit:

Apr 19 12:00:24 kdc-host krb5kdc[102]: AS_REQ (2 etypes {16 1}) 192.168.1.10(88): ISSUE: authtime 1019242824, etypes {rep=16 tkt=16 ses=16}, user@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM

And when I telnet to the remote host:

Apr 19 12:03:10 kdc-host krb5kdc[102]: TGS_REQ (1 etypes {1}) 192.168.1.10(88): ISSUE: authtime 1019242824, etypes {rep=16 tkt=16 ses=1}, user@EXAMPLE.COM for host/host2.internal@EXAMPLE.COM
Apr 19 12:03:11 kdc-host krb5kdc[102]: TGS_REQ (1 etypes {1}) 192.168.1.10(88): ISSUE: authtime 1019242824, etypes {rep=16 tkt=16 ses=1}, user@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM

And on the remote host:
Show quoted text
> klist -5acf
klist: Credentials cache permissions incorrect while setting cache flags (ticket cache FILE:/tmp/krb5cc_p39849)

# KRB5CCNAME="FILE:/tmp/krb5cc_p39849" klist -5acf
Ticket cache: FILE:/tmp/krb5cc_p39849
Default principal: user@EXAMPLE.COM

Valid starting Expires Service principal
04/19/02 12:03:11 04/19/02 22:00:24 krbtgt/EXAMPLE.COM@EXAMPLE.COM
Flags: FfPT
Addresses: host2.internal

When telnet accepts the request, it looks like the chown() call is
failing and the proper user permissions aren't being set. Just a
guess. -sc

--
Sean Chittenden

From: Sean Chittenden <sean@chittenden.org>
To: Sam Hartman <hartmans@MIT.EDU>
Cc: gnats-admin@rt-11.mit.edu
Subject: Re: telnet/1046: telnet sets the key cache to UID/GID 0 for non-UID
0 users
Date: Fri, 19 Apr 2002 14:14:13 -0700

Show quoted text
> Sean> When telnet accepts the request, it looks like the chown()
> Sean> call is failing and the proper user permissions aren't
> being Sean> set. Just a guess. -sc
>
> Except that telnetd doesn't do the chown; login.krb5 does. ANd if
> that chown login.krb5 syslogs an error. Please look at syslogs on
> the remote host.

This is the extent of what gets logged. I used a catch-all *.* to
send everything to one file and this is everything:

# Apr 19 14:03:51 host2 login: login from host1 on ttyp4 as user

What else do you need/want to hear? -sc


PS If logins are done via src/appl/bsd/login.c, then there isn't a
chown() call being issued. After having cruised through the code, it
looks like the forwarded ticket is being written out to /tmp, but
isn't being chowned. ~1639 of login.c, I think it's trying to
recreate the ticket in its place, but is failing because the ticket
already exists with root perms. I could be wrong, but that's my best
guess at the moment. hth.


--
Sean Chittenden


From: Sam Hartman <hartmans@MIT.EDU>
To: Sean Chittenden <sean@chittenden.org>
Cc: gnats-admin@rt-11.mit.edu, krb5-bugs@MIT.EDU
Subject: Re: telnet/1046: telnet sets the key cache to UID/GID 0 for non-UID
0 users
Date: Fri, 19 Apr 2002 17:39:52 -0400

We are unable to reproduce the problem.


From: Sean Chittenden <sean@chittenden.org>
To: Sam Hartman <hartmans@mit.edu>
Cc: gnats-admin@rt-11.mit.edu, krb5-bugs@mit.edu
Subject: Re: telnet/1046: telnet sets the key cache to UID/GID 0 for non-UID 0 users
Date: Fri, 19 Apr 2002 14:45:46 -0700

Show quoted text
> We are unable to reproduce the problem.

I have this behavior on an entire installation of FreeBSD machines
with kerberos built from the ports and the bare min config that I sent
earlier. It's very reproducible for me. Where would you like me to
insert some debugging code? -sc

--
Sean Chittenden

From: Sam Hartman <hartmans@MIT.EDU>
To: Sean Chittenden <sean@chittenden.org>
Cc: krb5-bugs@MIT.EDU
Subject: Re: telnet/1046: telnet sets the key cache to UID/GID 0 for non-UID
0 users
Date: Mon, 22 Apr 2002 17:18:15 -0400

Show quoted text
>>>>> "Sean" == Sean Chittenden <sean@chittenden.org> writes:

Show quoted text
>> We are unable to reproduce the problem.

Show quoted text
Sean> I have this behavior on an entire installation of FreeBSD
Sean> machines with kerberos built from the ports and the bare min
Sean> config that I sent earlier. It's very reproducible for me.
Sean> Where would you like me to insert some debugging code? -sc

First, please make sure the problem happens with Kerberos built from
our sources with no FreeBSD patches applied.

If so, you should insert code in login or walk through it with a
debugger.

Login reads in the tickets as root, destroys the ticket cache,
seteuids to the user and then writes them out again.

Something is going wrong in this code path.
Show quoted text
>Unformatted: