Sam Hartman <[EMAIL PROTECTED]> writes:
>>>>>> "Micah" == Micah Anderson <[EMAIL PROTECTED]> writes:
> Micah> Package: openssh-krb5 Severity: important Tags: security
> Micah> CAN-2005-2798[1] reads:
> Micah> sshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials
> Micah> is enabled, allows GSSAPI credentials to be delegated to
> Micah> clients who log in using non-GSSAPI methods, which could
> Micah> cause those credentials to be exposed to untrusted users or
> Micah> hosts.
> Micah> Since GASSAPI features are enabled in openssh-krb5/ssh-krb5
> Micah> and the source package tends to use older gassapi source,
> Micah> so it is likely these binaries are vulnerable.
> Could someone explain to me why this is a problem? I actually use
> this as a feature regularly.
> If you don't want the other end of the connection to have your
> credentials, why are you shoving them over the wire.
You log on with public key but delegate your credentials?
I think the theory is that people may use a configuration such as:
Host *.example.com
GSSAPIDelegateCredentials yes
so that ssh works as they want for all their local systems. But this
means that if, say, someone were to set up a host with a very similar name
to a commonly used host that accepts all public keys, they could capture
forwarded credentials. Requiring that GSSAPI authentication succeed at
least requires that such an attacker also be able to obtain a host
Kerberos keytab.
It's certainly not a major security vulnerability, particularly given that
users should also notice the lack of a host key for such a system, but I
can see the point. I'm sure the theory is that no one was doing this
intentionally.
If you are doing this intentionally, maybe we should think twice about
whether to apply this patch. (The patch itself looks clean and safe to
me, so I was going to go ahead and do one final upload of the openssh-krb5
package before retiring it in favor of recommending a current version of
the base openssh packages.)
--
Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
