On Wed, Jan 24, 2001 at 03:07:09AM -0800, Carson Gaspar wrote:
>
>
> --On Tuesday, January 23, 2001 4:07 PM -0600 Jim Barlow
> <[EMAIL PROTECTED]> wrote:
>
> > We have been using ssh1 with kerberos 5 at our site for a number of years.
> > We now have a situaation where a user "needs" both kerberos and RSARhosts
> > authentication. However, kerberos is disabled when the ssh client is suid
> > because of the KRB5CCNAME environment variable exploit. Has this ever
> > been fixed, or anyone have a patch to fix it?
>
> There is no sane reason for RSARhosts to require that the client be setuid
> root (or have a port <1024). I posted patches for SSH1 many moons ago that
> added a server option to remove this piece of sillyness. They should still
> be lingering around on ftp://ftp.cs.columbia.edu/pub/carson
> somewhere.
I tried adding the relevant part of that patch to our source tree and there
are a few problems I ran into. First off there needs to be modifications
to the ssh client (ssh.c) so that it will not disable rhosts authentication
and RSA rhosts authentication if it is not running as root.
Secondly, I think I can agree I don't see any need to have to bind to a
port <1024, however, in order for RSARhosts to work I don't see any way
around having to have the ssh client suid root. If I am not mistaken,
when using RSARhosts the client checks the client machine's public
key (sent by the server it is connecting to), against the client's own
private key. So in order for the ssh client to do that it has to be suid root
because it's private key is readable only by root.
So back to my original question, does anyone know of patches that fix
the problem with the KRB5CCNAME environment variable exploit?
--
James J. Barlow <[EMAIL PROTECTED]>
Senior System Engineer
National Center for Supercomputing Applications Voice : (217)244-6403
605 East Springfield Avenue Champaign, IL 61820 Cell : (217)840-0601
http://www.ncsa.uiuc.edu/People/jbarlow Fax : (217)244-1987
