Bug 908424 (CVE-2014-9278) - VUL-1: CVE-2014-9278: openssh: ~/.k5users unexpectedly grants remote login
Summary: VUL-1: CVE-2014-9278: openssh: ~/.k5users unexpectedly grants remote login
Status: RESOLVED INVALID
Alias: CVE-2014-9278
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Minor
Target Milestone: ---
Assignee: Petr Cerny
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/111242/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-12-04 19:54 UTC by Alexander Bergmann
Modified: 2015-02-12 14:51 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2014-12-04 19:54:40 UTC 
Via rh#1169843:

IssueDescription:

In a Kerberos environment, OpenSSH allows remote, authenticated users
to log in as another user if they are listed in a ~/.k5users file of that
other user.  This unexpectedly alters the system security policy, as
expressed through the ~/.k5users file, because previously, users would
have to log in locally, potentially requiring different forms of
authentication, before they could use the ksu command to switch users.

Proposed fix: Change the magic file name to ~/.ssh/k5users.  This needs careful review to make sure that the file is opened as the correct user, to avoid attacks by moving around ~/.ssh, leading to arbitrary file reads.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1169843
https://bugzilla.mindrot.org/show_bug.cgi?id=1867
http://thread.gmane.org/gmane.comp.encryption.kerberos.general/15855
Comment 1 Swamp Workflow Management 2014-12-04 23:00:14 UTC 
bugbot adjusting priority
Comment 3 Johannes Segitz 2015-02-12 14:51:24 UTC 
looks like we don't have the patch that uses ~/.k5users