krb5.conf ' # ' in realms section can cause ssh to segv
Russ Allbery
rra at stanford.edu
Wed Jul 13 17:13:16 EDT 2005
Troy Benjegerdes <hozer at hozed.org> writes:
> While testing a new kerberos server, I commented out one of my existing
> servers with something like the following:
> [realms]
> EXAMPLE.COM = {
> #kdc = kerberos-1.example.com
> kdc = new-test-server.example.com
> admin_server = kerberos.example.com
> }
> Unfortunately, I seem to be unable to reproduce the problem exactly
> anymore.. When it was failing, I was getting the included backtrace.
> What tipped me off to /etc/krb5.conf was that was the last thing I saw
> in strace output.
> Is this a potential security issue? Granted, if you can edit krb5.conf,
> you can do a lot of other stuff.. but a segv is pretty bad behavior.
If you linked against the MIT Kerberos v5 libraries, whitespace before
comments will cause Kerberos initialization to fail. If that wasn't
checked for thoroughly, it could result in trying to use or free a NULL
pointer. (There's also another problem with MIT K5 right now where it
doesn't completely initialize an output_token buffer in the GSSAPI layer
in some particular circumstances.)
These are #1988 and #3086 in the MIT Kerberos RT.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list