Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id AE3F884F24 for ; Wed, 21 Jun 2023 22:00:58 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id xZWv89j_aqrQ for ; Wed, 21 Jun 2023 22:00:58 +0000 (UTC) Received: from cvs.NetBSD.org (ivanova.netbsd.org [199.233.217.197]) by mail.netbsd.org (Postfix) with ESMTP id 1589E84D13 for ; Wed, 21 Jun 2023 22:00:58 +0000 (UTC) Received: by cvs.NetBSD.org (Postfix, from userid 500) id 0E6D9FA89; Wed, 21 Jun 2023 22:00:58 +0000 (UTC) Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" MIME-Version: 1.0 Date: Wed, 21 Jun 2023 22:00:58 +0000 From: "Martin Husemann" Subject: CVS commit: [netbsd-9] src/lib/libpam/modules/pam_krb5 To: source-changes@NetBSD.org Approved: for-source-only Reply-To: martin@netbsd.org X-Mailer: log_accum Message-Id: <20230621220058.0E6D9FA89@cvs.NetBSD.org> Module Name: src Committed By: martin Date: Wed Jun 21 22:00:57 UTC 2023 Modified Files: src/lib/libpam/modules/pam_krb5 [netbsd-9]: pam_krb5.8 pam_krb5.c Log Message: Pull up following revision(s) (requested by riastradh in ticket #1652): lib/libpam/modules/pam_krb5/pam_krb5.c: revision 1.31 lib/libpam/modules/pam_krb5/pam_krb5.8: revision 1.13 pam_krb5: Refuse to operate without a key to verify tickets. New allow_kdc_spoof overrides this to restore previous behaviour which was vulnerable to KDC spoofing, because without a host or service key, pam_krb5 can't distinguish the legitimate KDC from a spoofed one. This way, having pam_krb5 enabled isn't dangerous even if you create an empty /etc/krb5.conf to use client SSO without any host services. Perhaps this should use krb5_verify_init_creds(3) instead, and thereby respect the rather obscurely named krb5.conf option verify_ap_req_nofail like the Linux pam_krb5 does, but: - verify_ap_req_nofail is default-off (i.e., vulnerable by default), - changing verify_ap_req_nofail to default-on would probably affect more things and therefore be riskier, - allow_kdc_spoof is a much clearer way to spell the idea, - this patch is a smaller semantic change and thus less risky, and - a security change with compatibility issues shouldn't have a workaround that might introduce potentially worse security issues or more compatibility issues. Perhaps this should use krb5_verify_user(3) with secure=1 instead, for simplicity, but it's not clear how to do that without first prompting for the password -- which we shouldn't do at all if we later decide we won't be able to use it anyway -- and without repeating a bunch of the logic here anyway to pick the service name. References about verify_ap_req_nofail: - mit-krb5 discussion about verify_ap_req_nofail: https://mailman.mit.edu/pipermail/krbdev/2011-January/009778.html - Oracle has the default-secure setting in their krb5 system: https://docs.oracle.com/cd/E26505_01/html/E27224/setup-148.html https://docs.oracle.com/cd/E26505_01/html/816-5174/krb5.conf-4.html#REFMAN4krb5.conf-4 https://docs.oracle.com/cd/E19253-01/816-4557/gihyu/ - Heimdal issue on verify_ap_req_nofail default: https://github.com/heimdal/heimdal/issues/1129 To generate a diff of this commit: cvs rdiff -u -r1.12 -r1.12.8.1 src/lib/libpam/modules/pam_krb5/pam_krb5.8 cvs rdiff -u -r1.26 -r1.26.28.1 src/lib/libpam/modules/pam_krb5/pam_krb5.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.