ssh 1.2.27 doesn't appear to have the trivial exploit problem.
It includes code that disallows kerberos access if the ssh
binary is installed setuid root. The CRC32 subversion issue,
on the other hand, may very well still be an problem with
ssh 1.2.27.
Re:
> Date: Tue, 28 Mar 2000 13:34:00 -0500 (EST)
> From: Dug Song <[EMAIL PROTECTED]>
> To: Tatu Ylonen <[EMAIL PROTECTED]>
> Cc: [EMAIL PROTECTED]
> Subject: Re: AFS patch for SSH
>
> On Tue, 28 Mar 2000, Tatu Ylonen wrote:
>
> > Please note that there have been serious security problems in SSH1
> > (and OpenSSH) kerberos support. I'm not fully up to date on whether
> > they have been fixed.
>
> you mean, Kerberos v5 support, which only exists in SSH1 (NOT OpenSSH).
>
> the exploit for ssh1 was trivial - point the KRB5CCNAME environment
> variable to someone else's ticket file, and the setuid root ssh1 would
> happily use those credentials for authentication.
>
> OpenSSH does not suffer this problem, as it uses the KTH Kerberos v4
> implementation, which has simple checks for setuid root programs opening
> arbitrary ticket files. to my knowledge, MIT's Kerberos v5 implementation
> still does not, which is why ssh1 Kerberos v5 support is still broken.
>
> -d.
>
> ---
> http://www.monkey.org/~dugsong/
>
>
