GSI-OpenSSH Security Advisory: pamuserchange-2013-01.adv

URL: http://grid.ncsa.illinois.edu/ssh/pamuserchange-2013-01.adv

Original issue date: April 2 2013
Last revised: None

Software affected:
  GSI-OpenSSH (versions 4.7-5.5)
  GSI patch for OpenSSH (versions 20090831-20120903)

1. Overview

GSI-OpenSSH is a modified version of OpenSSH that adds support for RFC
3820 proxy certificate authentication and delegation. GSI-OpenSSH is
provided by NCSA and is not associated with the OpenSSH project.
GSI-OpenSSH is provided as both a standalone package and as a patch to
OpenSSH.

The PermitPAMUserChange feature added to GSI-OpenSSH in August 2009
[1] based on an earlier OpenSSH patch [2] contains a memory management
bug that may allow an authenticated user to log in to an unauthorized
account. The PermitPAMUserChange feature is disabled by default and
must be explicitly enabled by the system administrator. It is used
primarily with MEG (MyProxy Enabled GSISSHD) [3].

The PermitPAMUserChange feature allows users to log in to a system
using a username that need not correspond to a local system account,
provided that PAM accepts the username, authenticates the user, and
then maps the user to an existing local system account via PAM_USER.
The memory management bug can cause the authenticated user to be
mapped to an account different than PAM_USER.

2. Affected Configurations

Default configurations of GSI-OpenSSH are not affected.

The bug can be triggered only if sshd_config contains
"PermitPAMUserChange yes" and /etc/pam.d/sshd (or equivalent) is
configured with a PAM module that modifies PAM_USER.

3. Mitigation

Removing "PermitPAMUserChange yes" from sshd_config (if it was
previously added by the system administrator) will disable the
affected functionality.

4. Fix

GSI-OpenSSH 5.6 contains a fix for this bug.

Alternatively system administrators may apply the following patch to
the GSI-OpenSSH source code:

diff -Naur old/auth-pam.c new/auth-pam.c
--- old/auth-pam.c	2010-08-10 14:36:30.000000000 +0000
+++ new/auth-pam.c	2013-03-12 19:10:29.000000000 +0000
@@ -312,7 +312,7 @@
 			fatal("PAM: could not get passwd entry for user "
 			    "'%.100s' provided by PAM_USER", user);
 		pwfree(sshpam_authctxt->pw);
-		sshpam_authctxt->pw = pw;
+		sshpam_authctxt->pw = pwcopy(pw);
 		sshpam_authctxt->valid = allowed_user(pw);
 		debug("PAM: user '%.100s' now %svalid", user,
 		    sshpam_authctxt->valid ? "" : "in");

5. Credit

This issue was reported by Venkatesh Yekkirala.

6. References

[1] https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=6839
[2] https://bugzilla.mindrot.org/show_bug.cgi?id=1215
[3] http://wiki.ngs.ac.uk/index.php?title=MEG