Impact When an authd user who hasn't logged in to the system before (i.e. doesn't exist in the authd user database) logs in via SSH, the user is considered a member of the root group in the context of the SSH session. That leads to a local privilege escalation if the user should not have root privileges. Preconditions under which this vulnerability affects a system * authd was installed via the PPA. * An OAuth 2.0 application was registered in Microsoft Entra ID or Google IAM, and the respective authd broker was installed (authd-msentraid or authd-google) and configured. * sshd was configured to enable SSH access with authd, i.e.: UsePAM yes KbdInteractiveAuthentication yes * The username is allowed by the ssh_allowed_suffixes option in the broker configuriation. * The user is allowed by the allowed_users option in the broker configuration. * The user successfully authenticates via the authd broker (Entra ID or Google IAM). * The user did not log in locally before. Patches Fixed by https://github.com/ubuntu/authd/commit/619ce8e55953b970f1765ddaad565081538151ab Workarounds Configure the SSH server to not allow authenticating via authd, for example by setting UsePAM no or KbdInteractiveAuthentication no in the sshd_config (see…Read More
New authd users logging in via SSH are members of the root group
