pam-krb5 3.13 released
Russ Allbery
rra at stanford.edu
Wed Feb 11 15:08:33 EST 2009
I'm pleased to announce release 3.13 of pam-krb5. This is an urgent
security update. Everyone using this module should upgrade to either 3.13
or to a fixed package available from a package provider.
See:
http://www.eyrie.org/~eagle/software/pam-krb5/security/2009-02-11.html
for more details.
pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal.
It supports ticket refreshing by screen savers, configurable authorization
handling, authentication of non-local accounts for network services,
password changing, and password expiration, as well as all the standard
expected PAM features. It works correctly with OpenSSH, even with
ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
supports configuration either by PAM options or in krb5.conf or both.
Changes from previous release:
SECURITY: When built against MIT Kerberos, if pam_krb5 is called in a
setuid context (effective UID or GID doesn't match the real UID or
GID), use krb5_init_secure_context instead of krb5_init_context. This
ignores environment variable settings for the local Kerberos
configuration and keytab. Previous versions could allow a local
attacker to point a setuid program that used PAM authentication at a
different Kerberos configuration under the attacker's control,
possibly resulting in privilege escalation. Heimdal handles this
logic within the Kerberos libraries and therefore was not affected.
SECURITY: Disable pam_setcred(PAM_REINITIALIZE_CREDS) for setuid
applications. If pam_krb5 detects this call in a setuid context, it
now logs an error and returns success without doing anything. Solaris
su calls pam_setcred with that option rather than PAM_ESTABLISH_CREDS
after authentication and without wiping the environment, leading
previous versions of pam_krb5 to trust the KRB5CCNAME environment
variable for the ticket cache location. This permitted an attacker to
use previous versions of pam_krb5 to overwrite arbitrary files with
Kerberos credential caches that were left owned by the attacker.
Setuid screen lock programs may also be affected. Discovered by Derek
Chan and reported by Steven Luo. Thanks to Sam Hartman and Jeffrey
Hutzelman for additional analysis.
If a prefix of /usr is requested at configure time, install the PAM
module into /lib/security or /lib64/security on Linux, matching the
standard Linux-PAM module location. Use lib64 instead of lib on
64-bit SPARC, PowerPC, and S390 Linux as well as x86_64. Patch from
Peter Breitenlohner.
Fix a build problem when builddir != srcdir introduced in 3.11. Patch
from Peter Breitenlohner.
Add support for the old Heimdal krb5_get_error_string interface.
Thanks, Chaskiel Grundman.
Add --with-krb5-include and --with-krb5-lib configure options to allow
more specific setting of paths if necessary.
If krb5-config isn't available, attempt to determine if the library
directory for the Kerberos libraries is lib32 or lib64 instead of lib
and set LDFLAGS accordingly. Based on an idea from the CMU Autoconf
macros.
You can download it from:
<http://www.eyrie.org/~eagle/software/pam-krb5/>
This package is maintained using Git; see the instructions on the above
page to access the Git repository.
Debian packages have been uploaded to Debian experimental. The security
vulnerabilities will be separately fixed shortly in Debian stable (etch),
Debian testing (lenny), and Debian unstable (sid).
Please let me know of any problems or feature requests not already listed
in the TODO file.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20090211/bb8c839b/attachment.bin
More information about the Kerberos
mailing list