From thomas@pongo.cs.wisc.edu Tue Sep 5 15:27:18 2000
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2])
by rt-11.mit.edu (8.9.3/8.9.3) with SMTP id PAA25874
for <bugs@RT-11.MIT.EDU>; Tue, 5 Sep 2000 15:27:17 -0400 (EDT)
Received: from pongo.cs.wisc.edu by MIT.EDU with SMTP
id AA24848; Tue, 5 Sep 00 15:26:45 EDT
Received: from pongo.cs.wisc.edu (localhost [127.0.0.1])
by pongo.cs.wisc.edu (8.9.2/8.9.2) with ESMTP id OAA07234
for <krb5-bugs@mit.edu>; Tue, 5 Sep 2000 14:27:16 -0500 (CDT)
Message-Id: <200009051927.OAA07234@pongo.cs.wisc.edu>
Date: Tue, 05 Sep 2000 14:27:16 -0500
From: David Thompson <thomas@cs.wisc.edu>
To: krb5-bugs@MIT.EDU
Subject: telnetd doesn't chown ticket file
Associate Researcher Department of Computer Science
University of Wisconsin-Madison http://www.cs.wisc.edu/~thomas
1210 West Dayton Street Phone: (608)-262-1017
Madison, WI 53706-1685 Fax: (608)-262-6626
problems.
For example, with a ticket for 'usera', running:
% telnet -a -F -l userb <host>
fails with:
Trying a.b.c.d...
Connected to <host>.cs.wisc.edu (a.b.c.d).
Escape character is '^]'.
[ Kerberos V5 accepts you as ``usera@CS.WISC.EDU'' ]
[ Kerberos V5 accepted forwarded credentials ]
Password for userb:
Last login: Tue Sep 5 14:02:49 from <somewhere>
operator: unknown RPC error (-1765328188) when initializing cache
k5token: unknown RPC error (-1765328190) failure on principal
Connection closed by foreign host.
In 1.2.1, when telnetd passes the ticket cache on to login.krb5, the ticket
cache is still owned by root. When login.krb5 tries to delete the cache
and recreate it (as userb), it fails, and things fall apart rapidly
after that.
Restoring the 'chown' at the bottom of
.../appl/telnet/libtelnet/forward.c that was removed from 1.0 to 1.2.1
allows the login to work. However, I assume there was a reason why
the chown was removed. Is there a better fix for this problem?
Responsible-Changed-From-To: gnats-admin->tlyu
Responsible-Changed-By: tlyu
Responsible-Changed-When: Wed Feb 7 15:39:00 2001
Responsible-Changed-Why:
refiled
From: Tom Yu <tlyu@MIT.EDU>
To: thomas@cs.wisc.edu
Cc: krb5-bugs@MIT.EDU
Subject: Re: telnet/883: telnetd doesn't chown ticket file
Date: Wed, 7 Feb 2001 15:44:47 -0500 (EST)
These error messages should not be printed by the login.krb5 that
comes with MIT krb5. What login.krb5 program is actually getting run
by telnetd? I suspect there may be a mismatch between your telnetd
and login.krb5.
Can you diagnose why it fails? As I said above, it's probably a
mismatch between telnetd and login.krb5 programs.
The chown was removed because it is a security hole in some cases
where a naive vendor login may want to access the ccache as root.
There is compensating code that should write out the ccache as the
user.
---Tom
--
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2])
by rt-11.mit.edu (8.9.3/8.9.3) with SMTP id PAA25874
for <bugs@RT-11.MIT.EDU>; Tue, 5 Sep 2000 15:27:17 -0400 (EDT)
Received: from pongo.cs.wisc.edu by MIT.EDU with SMTP
id AA24848; Tue, 5 Sep 00 15:26:45 EDT
Received: from pongo.cs.wisc.edu (localhost [127.0.0.1])
by pongo.cs.wisc.edu (8.9.2/8.9.2) with ESMTP id OAA07234
for <krb5-bugs@mit.edu>; Tue, 5 Sep 2000 14:27:16 -0500 (CDT)
Message-Id: <200009051927.OAA07234@pongo.cs.wisc.edu>
Date: Tue, 05 Sep 2000 14:27:16 -0500
From: David Thompson <thomas@cs.wisc.edu>
To: krb5-bugs@MIT.EDU
Subject: telnetd doesn't chown ticket file
Show quoted text
>Number: 883
>Category: telnet
>Synopsis: telnetd doesn't chown ticket file
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: tlyu
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Sep 5 15:28:01 EDT 2000
>Last-Modified: Wed Feb 07 15:45:00 EST 2001
>Originator: Dave Thompson <thomas@cs.wisc.edu>
>Organization:
Dave Thompson <thomas@cs.wisc.edu>>Category: telnet
>Synopsis: telnetd doesn't chown ticket file
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: tlyu
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Sep 5 15:28:01 EDT 2000
>Last-Modified: Wed Feb 07 15:45:00 EST 2001
>Originator: Dave Thompson <thomas@cs.wisc.edu>
>Organization:
Associate Researcher Department of Computer Science
University of Wisconsin-Madison http://www.cs.wisc.edu/~thomas
1210 West Dayton Street Phone: (608)-262-1017
Madison, WI 53706-1685 Fax: (608)-262-6626
Show quoted text
>Release:
>Environment:
>Description:
On a linux build of krb5-1.2.1, using the -l option of telnet causes>Environment:
>Description:
problems.
For example, with a ticket for 'usera', running:
% telnet -a -F -l userb <host>
fails with:
Trying a.b.c.d...
Connected to <host>.cs.wisc.edu (a.b.c.d).
Escape character is '^]'.
[ Kerberos V5 accepts you as ``usera@CS.WISC.EDU'' ]
[ Kerberos V5 accepted forwarded credentials ]
Password for userb:
Last login: Tue Sep 5 14:02:49 from <somewhere>
operator: unknown RPC error (-1765328188) when initializing cache
k5token: unknown RPC error (-1765328190) failure on principal
Connection closed by foreign host.
In 1.2.1, when telnetd passes the ticket cache on to login.krb5, the ticket
cache is still owned by root. When login.krb5 tries to delete the cache
and recreate it (as userb), it fails, and things fall apart rapidly
after that.
Restoring the 'chown' at the bottom of
.../appl/telnet/libtelnet/forward.c that was removed from 1.0 to 1.2.1
allows the login to work. However, I assume there was a reason why
the chown was removed. Is there a better fix for this problem?
Show quoted text
>How-To-Repeat:
>Fix:
>Audit-Trail:
>Fix:
>Audit-Trail:
Responsible-Changed-From-To: gnats-admin->tlyu
Responsible-Changed-By: tlyu
Responsible-Changed-When: Wed Feb 7 15:39:00 2001
Responsible-Changed-Why:
refiled
From: Tom Yu <tlyu@MIT.EDU>
To: thomas@cs.wisc.edu
Cc: krb5-bugs@MIT.EDU
Subject: Re: telnet/883: telnetd doesn't chown ticket file
Date: Wed, 7 Feb 2001 15:44:47 -0500 (EST)
Show quoted text
>>>>> "DT" == David Thompson <thomas@cs.wisc.edu> writes:
Show quoted text
DT> operator: unknown RPC error (-1765328188) when initializing cache
DT> k5token: unknown RPC error (-1765328190) failure on principal
DT> k5token: unknown RPC error (-1765328190) failure on principal
These error messages should not be printed by the login.krb5 that
comes with MIT krb5. What login.krb5 program is actually getting run
by telnetd? I suspect there may be a mismatch between your telnetd
and login.krb5.
Show quoted text
DT> In 1.2.1, when telnetd passes the ticket cache on to login.krb5, the ticket
DT> cache is still owned by root. When login.krb5 tries to delete the cache
DT> and recreate it (as userb), it fails, and things fall apart rapidly
DT> after that.
DT> cache is still owned by root. When login.krb5 tries to delete the cache
DT> and recreate it (as userb), it fails, and things fall apart rapidly
DT> after that.
Can you diagnose why it fails? As I said above, it's probably a
mismatch between telnetd and login.krb5 programs.
Show quoted text
DT> Restoring the 'chown' at the bottom of
DT> .../appl/telnet/libtelnet/forward.c that was removed from 1.0 to 1.2.1
DT> allows the login to work. However, I assume there was a reason why
DT> the chown was removed. Is there a better fix for this problem?
DT> .../appl/telnet/libtelnet/forward.c that was removed from 1.0 to 1.2.1
DT> allows the login to work. However, I assume there was a reason why
DT> the chown was removed. Is there a better fix for this problem?
The chown was removed because it is a security hole in some cases
where a naive vendor login may want to access the ccache as root.
There is compensating code that should write out the ccache as the
user.
---Tom
Show quoted text
>Unformatted:
----