[krbdev.mit.edu #8542] Check for k5login permission
sandeep umesh via RT
rt-comment at krbdev.mit.edu
Wed Feb 1 11:42:30 EST 2017
Hello
As per our understanding, .k5login file is similar to ssh authorized_keys.
A user put his keys in the authorized_keys file to ssh to a server without
password.
However ssh correctly check that only the ownerhas write access (600) to
authorized_keys but the same check is not perform for k5login file. Anybody
with write access to another user's home directory could potentially add a
.k5login file with his kerberos id to take control of that user.
Basically, in userok_k5login function, we do have a check to verify if
.k5login file is owned either by the user or root. Can we also have a
additional check to verify the permissions of this file to be at 600 ?
Thanks
Sandeep
More information about the krb5-bugs
mailing list