krb5.conf ' # ' in realms section can cause ssh to segv

Troy Benjegerdes hozer at hozed.org
Wed Jul 13 18:27:12 EDT 2005


On Wed, Jul 13, 2005 at 09:43:41PM +0100, Simon Wilkinson wrote:
> Troy Benjegerdes wrote:
> > 
> > Is this a potential security issue? Granted, if you can edit krb5.conf,
> > you can do a lot of other stuff.. but a segv is pretty bad behavior.
> 
> You've not really provided enough information to track this down. The
> stack trace doesn't have any symbols, and you haven't even said which
> version of krb5 or ssh you're running. You've also not provided any
> debugging dumps from the ssh client which would help show where the
> error is occuring.
> 
> If you could let me know those things, I can probably trace this a bit
> better. My rough guess is that the client's first call into init_context
> is failing, due to the bad configuration. It's then trying to release a
> buffer that hasn't been allocated, and so is seg faulting.
> 
> I don't think this is a security issue - its client side, rather than
> server side, the error isn't as a result of bad incoming data, and ssh
> doesn't run with elevated priviledge.
> 
> If you can provide more information though, and you're running OpenSSH
> with my patches, or code derived from them, it would be good to fix this.

Debian-powerpc, running sarge:

ii  libkrb53       1.3.6-3        MIT Kerberos runtime libraries
ii  ssh-krb5       3.8.1p1-8      Secure rlogin/rsh/rcp replacement

I also know the segv occurred immediately after opening /etc/krb5.conf,
but the strace log is gone from my scrollback.


More information about the Kerberos mailing list