From Kerry.Thompson@airnz.co.nz Wed Feb 2 23:01:31 2000
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28])
by rt-11.mit.edu (8.9.3/8.9.3) with SMTP id XAA20332
for <bugs@RT-11.MIT.EDU>; Wed, 2 Feb 2000 23:01:29 -0500 (EST)
Received: from aklip01u.airnz.co.nz by MIT.EDU with SMTP
id AA04669; Wed, 2 Feb 00 23:02:38 EST
Received: (from uucp@localhost)
by aklip01u.airnz.co.nz (8.9.1a/8.9.1) id RAA23989
for <krb5-bugs@mit.edu>; Thu, 3 Feb 2000 17:01:24 +1300 (NZDT)
Received: from unknown(10.65.16.76) by aklip01u.airnz.co.nz via smap (V5.0)
id xma023942; Thu, 3 Feb 00 17:00:57 +1300
Received: from aklis04w.airnz.co.nz (aklis04w.airnz.co.nz [10.65.16.156])
by aklndcvu.airnz.co.nz (8.9.1a/8.9.1) with SMTP id RAA14220
for <krb5-bugs@mit.edu>; Thu, 3 Feb 2000 17:00:53 +1300 (NZDT)
Received: from aklex05w.airnz.co.nz (10.65.20.80) by aklis04w.airnz.co.nz
Thursday, February 03, 2000 16:58:43
Received: by aklex05w.airnz.co.nz with Internet Mail Service (5.5.2650.10)
id <DZRP5T6B>; Thu, 3 Feb 2000 17:00:35 +1300
Message-Id: <B0765567@aklis04w.airnz.co.nz>
Date: Thu, 3 Feb 2000 17:00:33 +1300
From: "Thompson, Kerry" <Kerry.Thompson@airnz.co.nz>
To: "'krb5-bugs@mit.edu'" <krb5-bugs@MIT.EDU>
Subject: Bug? - forwarding tickets to telnetd/login.krb5 allows root acces
s
Chaps
When I use 'telnet -Fa' to forward my credentials to the destination host
and auto-authenticate, I end up with root access ( whether my principal is
in /.k5login or not ). This could be a problem in some installations.
This seems to be a new problem in krb5 1.1.0, it wasn't occurring in 1.0.5.
In fact, installing the older 1.0.5 login.krb5 program seems to fix the
problem.
aklndcwu:
aklndcwu:
aklndcwu:
aklndcwu:
aklndcwu: id
uid=106(xthomk) gid=101(security)
aklndcwu:
aklndcwu: kdestroy
aklndcwu: kinit -f
Password for xthomk@AIRNZ.CO.NZ:
aklndcwu: telnet -Fa aklia02u
Trying 10.65.35.40...
Connected to aklia02u.airnz.co.nz (10.65.35.40).
Escape character is '^]'.
[ Kerberos V5 accepts you as ``xthomk@AIRNZ.CO.NZ'' ]
[ Kerberos V5 accepted forwarded credentials ]
Sun Microsystems Inc. SunOS 5.6 Loaded : Mon Nov 1 17:37:13 NZDT 1999
aklia02u: id
uid=0(root) gid=101(security)
aklia02u: cat /.k5login
nobody@AIRNZ.CO.NZ
aklia02u:
--
Kerry Thompson
Air NZ Border Management
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28])
by rt-11.mit.edu (8.9.3/8.9.3) with SMTP id XAA20332
for <bugs@RT-11.MIT.EDU>; Wed, 2 Feb 2000 23:01:29 -0500 (EST)
Received: from aklip01u.airnz.co.nz by MIT.EDU with SMTP
id AA04669; Wed, 2 Feb 00 23:02:38 EST
Received: (from uucp@localhost)
by aklip01u.airnz.co.nz (8.9.1a/8.9.1) id RAA23989
for <krb5-bugs@mit.edu>; Thu, 3 Feb 2000 17:01:24 +1300 (NZDT)
Received: from unknown(10.65.16.76) by aklip01u.airnz.co.nz via smap (V5.0)
id xma023942; Thu, 3 Feb 00 17:00:57 +1300
Received: from aklis04w.airnz.co.nz (aklis04w.airnz.co.nz [10.65.16.156])
by aklndcvu.airnz.co.nz (8.9.1a/8.9.1) with SMTP id RAA14220
for <krb5-bugs@mit.edu>; Thu, 3 Feb 2000 17:00:53 +1300 (NZDT)
Received: from aklex05w.airnz.co.nz (10.65.20.80) by aklis04w.airnz.co.nz
Thursday, February 03, 2000 16:58:43
Received: by aklex05w.airnz.co.nz with Internet Mail Service (5.5.2650.10)
id <DZRP5T6B>; Thu, 3 Feb 2000 17:00:35 +1300
Message-Id: <B0765567@aklis04w.airnz.co.nz>
Date: Thu, 3 Feb 2000 17:00:33 +1300
From: "Thompson, Kerry" <Kerry.Thompson@airnz.co.nz>
To: "'krb5-bugs@mit.edu'" <krb5-bugs@MIT.EDU>
Subject: Bug? - forwarding tickets to telnetd/login.krb5 allows root acces
s
Show quoted text
>Number: 820
>Category: krb5-appl
>Synopsis: Bug? - forwarding tickets to telnetd/login.krb5 allows root acces
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Feb 2 23:02:01 EST 2000
>Last-Modified: Tue Feb 22 16:32:31 EST 2000
>Originator: "Thompson, Kerry" <Kerry.Thompson@airnz.co.nz>
>Organization:
>Release:
>Environment:
>Description:
s>Category: krb5-appl
>Synopsis: Bug? - forwarding tickets to telnetd/login.krb5 allows root acces
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Feb 2 23:02:01 EST 2000
>Last-Modified: Tue Feb 22 16:32:31 EST 2000
>Originator: "Thompson, Kerry" <Kerry.Thompson@airnz.co.nz>
>Organization:
>Release:
>Environment:
>Description:
Chaps
When I use 'telnet -Fa' to forward my credentials to the destination host
and auto-authenticate, I end up with root access ( whether my principal is
in /.k5login or not ). This could be a problem in some installations.
This seems to be a new problem in krb5 1.1.0, it wasn't occurring in 1.0.5.
In fact, installing the older 1.0.5 login.krb5 program seems to fix the
problem.
aklndcwu:
aklndcwu:
aklndcwu:
aklndcwu:
aklndcwu: id
uid=106(xthomk) gid=101(security)
aklndcwu:
aklndcwu: kdestroy
aklndcwu: kinit -f
Password for xthomk@AIRNZ.CO.NZ:
aklndcwu: telnet -Fa aklia02u
Trying 10.65.35.40...
Connected to aklia02u.airnz.co.nz (10.65.35.40).
Escape character is '^]'.
[ Kerberos V5 accepts you as ``xthomk@AIRNZ.CO.NZ'' ]
[ Kerberos V5 accepted forwarded credentials ]
Sun Microsystems Inc. SunOS 5.6 Loaded : Mon Nov 1 17:37:13 NZDT 1999
aklia02u: id
uid=0(root) gid=101(security)
aklia02u: cat /.k5login
nobody@AIRNZ.CO.NZ
aklia02u:
--
Kerry Thompson
Air NZ Border Management
Show quoted text
_____________________________________________________________________
CAUTION - This message may contain privileged and confidential
information intended only for the use of the addressee named above.
If you are not the intended recipient of this message you are hereby
notified that any use, dissemination, distribution or reproduction
of this message is prohibited. If you have received this message in
error please notify Air New Zealand immediately. Any views expressed
in this message are those of the individual sender and may not
necessarily reflect the views of Air New Zealand.
CAUTION - This message may contain privileged and confidential
information intended only for the use of the addressee named above.
If you are not the intended recipient of this message you are hereby
notified that any use, dissemination, distribution or reproduction
of this message is prohibited. If you have received this message in
error please notify Air New Zealand immediately. Any views expressed
in this message are those of the individual sender and may not
necessarily reflect the views of Air New Zealand.
_____________________________________________________________________
Responsible-Changed-From-To: gnats-admin->krb5-unassigned
Responsible-Changed-By: raeburn
Responsible-Changed-When: Tue Feb 22 16:32:21 2000
Responsible-Changed-Why:
Reformat, fix category.
>How-To-Repeat:
>Fix:
>Audit-Trail:
>Fix:
>Audit-Trail:
Responsible-Changed-From-To: gnats-admin->krb5-unassigned
Responsible-Changed-By: raeburn
Responsible-Changed-When: Tue Feb 22 16:32:21 2000
Responsible-Changed-Why:
Reformat, fix category.
>Unformatted: