---
- branch: netbsd-8
  date: Wed Jun 21 22:04:13 UTC 2023
  files:
  - new: 1.11.40.1
    old: '1.11'
    path: src/lib/libpam/modules/pam_krb5/pam_krb5.8
    pathrev: src/lib/libpam/modules/pam_krb5/pam_krb5.8@1.11.40.1
    type: modified
  - new: 1.26.18.1
    old: '1.26'
    path: src/lib/libpam/modules/pam_krb5/pam_krb5.c
    pathrev: src/lib/libpam/modules/pam_krb5/pam_krb5.c@1.26.18.1
    type: modified
  id: 20230621T220413Z.a5a7e9eb0cf604c5b04929fd8595b96f4b9346f6
  log: "Pull up following revision(s) (requested by riastradh in ticket #1844):\n\n\tlib/libpam/modules/pam_krb5/pam_krb5.c:
    revision 1.31\n\tlib/libpam/modules/pam_krb5/pam_krb5.8: revision 1.13\n\npam_krb5:
    Refuse to operate without a key to verify tickets.\n\nNew allow_kdc_spoof overrides
    this to restore previous behaviour\nwhich was vulnerable to KDC spoofing, because
    without a host or\nservice key, pam_krb5 can't distinguish the legitimate KDC
    from a\nspoofed one.\n\nThis way, having pam_krb5 enabled isn't dangerous even
    if you create\nan empty /etc/krb5.conf to use client SSO without any host services.\n\nPerhaps
    this should use krb5_verify_init_creds(3) instead, and\nthereby respect the rather
    obscurely named krb5.conf option\nverify_ap_req_nofail like the Linux pam_krb5
    does, but:\n- verify_ap_req_nofail is default-off (i.e., vulnerable by default),\n-
    changing verify_ap_req_nofail to default-on would probably affect\n  more things
    and therefore be riskier,\n- allow_kdc_spoof is a much clearer way to spell the
    idea,\n- this patch is a smaller semantic change and thus less risky, and\n- a
    security change with compatibility issues shouldn't have a\n  workaround that
    might introduce potentially worse security issues\n  or more compatibility issues.\n\nPerhaps
    this should use krb5_verify_user(3) with secure=1 instead,\nfor simplicity, but
    it's not clear how to do that without first\nprompting for the password -- which
    we shouldn't do at all if we\nlater decide we won't be able to use it anyway --
    and without\nrepeating a bunch of the logic here anyway to pick the service name.\n\nReferences
    about verify_ap_req_nofail:\n- mit-krb5 discussion about verify_ap_req_nofail:\n
    \ https://mailman.mit.edu/pipermail/krbdev/2011-January/009778.html\n- Oracle
    has the default-secure setting in their krb5 system:\n  https://docs.oracle.com/cd/E26505_01/html/E27224/setup-148.html\n
    \ https://docs.oracle.com/cd/E26505_01/html/816-5174/krb5.conf-4.html#REFMAN4krb5.conf-4\n
    \ https://docs.oracle.com/cd/E19253-01/816-4557/gihyu/\n- Heimdal issue on verify_ap_req_nofail
    default:\n  https://github.com/heimdal/heimdal/issues/1129\n"
  module: src
  subject: 'CVS commit: [netbsd-8] src/lib/libpam/modules/pam_krb5'
  unixtime: '1687385053'
  user: martin