Date: Thu, 4 Dec 2003 07:55:12 -0600 From: Tillman Hodgson <tillman@seekingfire.com> To: FreeBSD-Questions <freebsd-questions@freebsd.org> Subject: MIT krb5, telnetd, PAM, incorrect permissions on forwarded tickets Message-ID: <20031204135512.GV294@seekingfire.com>
next in thread | raw e-mail | index | archive | help
--R6sEYoIZpp9JErk7
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
I'm trying over here since I didn't have any luck fishing in ports@ :-)
I've since found the parts of the MIT login.krb5 that chown the
forwarded ticket file. That was nice to know to not really relevent :-)
I understand that there's a race condition when having root chown a file
in /tmp to a user (symlinks being the obvious attack path). There are
ways around that, though, so I don't believe the change that I'm looking
for leads to a security problem if handled carefully.
-T
--
All programs evolve until they can send email.
- A.S.R. quote (Richard Letts)
Except Microsoft Exchange.
- A.S.R. quote (Art)
--R6sEYoIZpp9JErk7
Content-Type: message/rfc822
Content-Disposition: inline
Date: Wed, 3 Dec 2003 11:33:19 -0600
From: Tillman Hodgson <tillman@seekingfire.com>
To: FreeBSD-Ports <freebsd-ports@freebsd.org>
Subject: MIT krb5, telnetd, PAM, incorrect permissions on forwarded tickets
Message-ID: <20031203173319.GE294@seekingfire.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Habeas-SWE-1: winter into spring
X-Habeas-SWE-2: brightly anticipated
X-Habeas-SWE-3: like Habeas SWE (tm)
X-Habeas-SWE-4: Copyright 2002 Habeas (tm)
X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this
X-Habeas-SWE-6: email in exchange for a license for this Habeas
X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant
X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this
X-Habeas-SWE-9: mark in spam to <http://www.habeas.com/report/>.
X-GPG-Key-ID: 828AFC7B
X-GPG-Fingerprint: 5584 14BA C9EB 1524 0E68 F543 0F0A 7FBC 828A FC7B
X-GPG-Key: http://www.seekingfire.com/gpg_key.asc
X-Urban-Legend: There is lots of hidden information in headers
User-Agent: Mutt/1.5.5.1i
Howdy folks,
When using the MIT krb5 port (up to date as of a CVSup this morning) on
a recent -STABLE box, there are two ways to enable telnetd in
/etc/inetd.conf:
telnet stream tcp nowait root /usr/libexec/telnetd telnetd -a user
or
telnet stream tcp nowait root /usr/local/krb5/sbin/telnetd telnetd -a user -L /usr/local/krb5/sbin/login.krb5
The first way, according to the man page and to the README.FreeBSD
included in teh krb5 port, uses /usr/bin/login. The second way uses the
MIT login program.
The first way is obviously preferred -- you get login.conf and
login.access that way. However, when using forwarded tickets it creates
them with the wrong permissions (0600 root:wheel) and the user can't
even read their own ticket. If root chown's them to the user manually
the forwarded ticket works correctly.
Naturally, login.krb5 sets the permissions correctly.
Since a simple chown seems like such a simple thing to fix and there's
compelling benefits to using the FreeBSD login, I'd like to start using
/usr/bin/login with my MIT telnetd (it's even the default in the port
;-) ). But finding figuring out just where this should be down has been
non-trivial.
My first instinct (supported by the wording in README.FreeBSD) was to
look in /etc/pam.conf. But PAM doesn't appear to be in play here: I have
pam_krb5.conf commented out and am still able to login in correctly!
Uncommenting pam_krb5 in the PAM stack appears to have no effect.
So my next instinct was that the MIT telnetd was performing the ticket
creation in /tmp itself. That's a much bigger piece of software to read
through -- I'm still digging into it.
Are there any known workarounds for this? Would someone with a bit more
familiarity with the code in question mind taking a look at it?
Thanks,
-T
--
Belief gets in the way of learning.
- Robert Heinlein
--R6sEYoIZpp9JErk7--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031204135512.GV294>