From owner-freebsd-questions@FreeBSD.ORG Thu Dec 4 05:55:16 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C569816A4CE for ; Thu, 4 Dec 2003 05:55:16 -0800 (PST) Received: from mail.seekingfire.com (coyote.seekingfire.com [24.72.10.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id 221C443FDF for ; Thu, 4 Dec 2003 05:55:14 -0800 (PST) (envelope-from tillman@seekingfire.com) Received: by mail.seekingfire.com (Postfix, from userid 500) id 023F9275; Thu, 4 Dec 2003 07:55:12 -0600 (CST) Date: Thu, 4 Dec 2003 07:55:12 -0600 From: Tillman Hodgson To: FreeBSD-Questions Message-ID: <20031204135512.GV294@seekingfire.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="R6sEYoIZpp9JErk7" Content-Disposition: inline X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . X-GPG-Key-ID: 828AFC7B X-GPG-Fingerprint: 5584 14BA C9EB 1524 0E68 F543 0F0A 7FBC 828A FC7B X-GPG-Key: http://www.seekingfire.com/gpg_key.asc X-Urban-Legend: There is lots of hidden information in headers User-Agent: Mutt/1.5.5.1i Subject: MIT krb5, telnetd, PAM, incorrect permissions on forwarded tickets X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Dec 2003 13:55:17 -0000 --R6sEYoIZpp9JErk7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline I'm trying over here since I didn't have any luck fishing in ports@ :-) I've since found the parts of the MIT login.krb5 that chown the forwarded ticket file. That was nice to know to not really relevent :-) I understand that there's a race condition when having root chown a file in /tmp to a user (symlinks being the obvious attack path). There are ways around that, though, so I don't believe the change that I'm looking for leads to a security problem if handled carefully. -T -- All programs evolve until they can send email. - A.S.R. quote (Richard Letts) Except Microsoft Exchange. - A.S.R. quote (Art) --R6sEYoIZpp9JErk7 Content-Type: message/rfc822 Content-Disposition: inline Date: Wed, 3 Dec 2003 11:33:19 -0600 From: Tillman Hodgson To: FreeBSD-Ports Subject: MIT krb5, telnetd, PAM, incorrect permissions on forwarded tickets Message-ID: <20031203173319.GE294@seekingfire.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . X-GPG-Key-ID: 828AFC7B X-GPG-Fingerprint: 5584 14BA C9EB 1524 0E68 F543 0F0A 7FBC 828A FC7B X-GPG-Key: http://www.seekingfire.com/gpg_key.asc X-Urban-Legend: There is lots of hidden information in headers User-Agent: Mutt/1.5.5.1i Howdy folks, When using the MIT krb5 port (up to date as of a CVSup this morning) on a recent -STABLE box, there are two ways to enable telnetd in /etc/inetd.conf: telnet stream tcp nowait root /usr/libexec/telnetd telnetd -a user or telnet stream tcp nowait root /usr/local/krb5/sbin/telnetd telnetd -a user -L /usr/local/krb5/sbin/login.krb5 The first way, according to the man page and to the README.FreeBSD included in teh krb5 port, uses /usr/bin/login. The second way uses the MIT login program. The first way is obviously preferred -- you get login.conf and login.access that way. However, when using forwarded tickets it creates them with the wrong permissions (0600 root:wheel) and the user can't even read their own ticket. If root chown's them to the user manually the forwarded ticket works correctly. Naturally, login.krb5 sets the permissions correctly. Since a simple chown seems like such a simple thing to fix and there's compelling benefits to using the FreeBSD login, I'd like to start using /usr/bin/login with my MIT telnetd (it's even the default in the port ;-) ). But finding figuring out just where this should be down has been non-trivial. My first instinct (supported by the wording in README.FreeBSD) was to look in /etc/pam.conf. But PAM doesn't appear to be in play here: I have pam_krb5.conf commented out and am still able to login in correctly! Uncommenting pam_krb5 in the PAM stack appears to have no effect. So my next instinct was that the MIT telnetd was performing the ticket creation in /tmp itself. That's a much bigger piece of software to read through -- I'm still digging into it. Are there any known workarounds for this? Would someone with a bit more familiarity with the code in question mind taking a look at it? Thanks, -T -- Belief gets in the way of learning. - Robert Heinlein --R6sEYoIZpp9JErk7--