| History log of /src/lib/libpam/modules/pam_krb5 |
| Revision | Date | Author | Comments |
| 1.13 | 13-Jul-2025 |
christos | Get ready to handle the openssl move from bsd -> apache2
|
| 1.12 | 04-Feb-2018 |
christos | branches: 1.12.16;
switch everyone to openssl.old
|
| 1.11 | 26-May-2011 |
joerg | Default to -Wno-sign-compare -Wno-pointer-sign for clang.
Push -Wno-array-bounds down to the cases that depend on it.
Selectively disable warnings for 3rd party software or non-trivial
issues to be reviewed later to get clang -Werror to build most of the
tree.
|
| 1.10 | 15-Apr-2011 |
elric | Upgrade Heimdal to 1.5pre1 by switching the build from crypto/dist/heimdal
to crypto/external/bsd/heimdal. The latter was just imported as the head
of the Heimdal tree as of a few days ago.
|
| 1.9 | 20-Jul-2009 |
christos | use the proper libcrypto
|
| 1.8 | 27-Oct-2008 |
mrg | use LIBDPLIBS+= not =.
|
| 1.7 | 27-Oct-2008 |
mrg | don't set LIBDPLIBS in libpam/modules/Makefile - it is not necessary
and it interferes with the compat lib build. don't use LIB_ROOT_DIR.
|
| 1.6 | 25-Apr-2005 |
matt | Remove CPPFLAGS
|
| 1.5 | 25-Apr-2005 |
matt | Add ${DESTDIR}/usr/include/krb5 to CPPFLAGS so <parse_units.h> can be found.
|
| 1.4 | 29-Dec-2004 |
lukem | Use LIBDPLIBS to provide the list of libraries for the modules to depend
upon, because:
* it's MUCH quicker; no need to calculate the OBJDIRS of every library
we might require in every subdir.
(make obj drops from 21s to 3s on my system.)
* it's more robust when building to a fresh DESTDIR.
|
| 1.3 | 29-Dec-2004 |
christos | Link with libraries from the source build directory.
|
| 1.2 | 12-Dec-2004 |
christos | - NetBSD build glue
- Warning fixes
- RCSID's
|
| 1.1 | 12-Dec-2004 |
christos | branches: 1.1.1;
Initial revision
|
| 1.1.1.1 | 12-Dec-2004 |
christos | - Import freebsd's version of libpam as of today (20041212).
- Did not import opie, passwdqc, tacplus. We need to decide what to do
with them.
- Imported radius and ssh, although they will not work until we
import libradius and re-structure our tree to install libssh.
|
| 1.12.16.1 | 02-Aug-2025 |
perseant | Sync with HEAD
|
| 1.13 | 20-Jun-2023 |
riastradh | pam_krb5: Refuse to operate without a key to verify tickets.
New allow_kdc_spoof overrides this to restore previous behaviour
which was vulnerable to KDC spoofing, because without a host or
service key, pam_krb5 can't distinguish the legitimate KDC from a
spoofed one.
This way, having pam_krb5 enabled isn't dangerous even if you create
an empty /etc/krb5.conf to use client SSO without any host services.
Perhaps this should use krb5_verify_init_creds(3) instead, and
thereby respect the rather obscurely named krb5.conf option
verify_ap_req_nofail like the Linux pam_krb5 does, but:
- verify_ap_req_nofail is default-off (i.e., vulnerable by default),
- changing verify_ap_req_nofail to default-on would probably affect
more things and therefore be riskier,
- allow_kdc_spoof is a much clearer way to spell the idea,
- this patch is a smaller semantic change and thus less risky, and
- a security change with compatibility issues shouldn't have a
workaround that might introduce potentially worse security issues
or more compatibility issues.
Perhaps this should use krb5_verify_user(3) with secure=1 instead,
for simplicity, but it's not clear how to do that without first
prompting for the password -- which we shouldn't do at all if we
later decide we won't be able to use it anyway -- and without
repeating a bunch of the logic here anyway to pick the service name.
References about verify_ap_req_nofail:
- mit-krb5 discussion about verify_ap_req_nofail:
https://mailman.mit.edu/pipermail/krbdev/2011-January/009778.html
- Oracle has the default-secure setting in their krb5 system:
https://docs.oracle.com/cd/E26505_01/html/E27224/setup-148.html
https://docs.oracle.com/cd/E26505_01/html/816-5174/krb5.conf-4.html#REFMAN4krb5.conf-4
https://docs.oracle.com/cd/E19253-01/816-4557/gihyu/
- Heimdal issue on verify_ap_req_nofail default:
https://github.com/heimdal/heimdal/issues/1129
|
| 1.12 | 03-Jul-2017 |
wiz | branches: 1.12.8; 1.12.16;
Remove workaround for ancient HTML generation code.
|
| 1.11 | 02-Dec-2008 |
reed | branches: 1.11.40;
Add missing copyright and license.
This license is identical to that on the pam_krb5.c file minus the
other copyrights and the unrelated contract attribution.
From email communication with the author, Frank Cusack.
|
| 1.10 | 01-Dec-2007 |
wiz | eg -> e.g.
|
| 1.9 | 10-Mar-2007 |
christos | branches: 1.9.4;
bump date
|
| 1.8 | 10-Mar-2007 |
christos | tyop
|
| 1.7 | 10-Mar-2007 |
christos | PR/35968: Jukka Salmi: add option to pam_krb5(8) to request renewable tickets
|
| 1.6 | 28-Feb-2005 |
wiz | Bump date for new SECURITY CONSIDERATIONS section.
|
| 1.5 | 27-Feb-2005 |
thorpej | Add a SECURITY CONSIDERATIONS section.
|
| 1.4 | 26-Feb-2005 |
thorpej | Wording consistency nits.
|
| 1.3 | 20-Feb-2005 |
wiz | <> -> \*[Lt]\*[Gt].
|
| 1.2 | 12-Dec-2004 |
christos | - NetBSD build glue
- Warning fixes
- RCSID's
|
| 1.1 | 12-Dec-2004 |
christos | branches: 1.1.1;
Initial revision
|
| 1.1.1.1 | 12-Dec-2004 |
christos | - Import freebsd's version of libpam as of today (20041212).
- Did not import opie, passwdqc, tacplus. We need to decide what to do
with them.
- Imported radius and ssh, although they will not work until we
import libradius and re-structure our tree to install libssh.
|
| 1.9.4.1 | 09-Jan-2008 |
matt | sync with HEAD
|
| 1.11.40.1 | 21-Jun-2023 |
martin | Pull up following revision(s) (requested by riastradh in ticket #1844):
lib/libpam/modules/pam_krb5/pam_krb5.c: revision 1.31
lib/libpam/modules/pam_krb5/pam_krb5.8: revision 1.13
pam_krb5: Refuse to operate without a key to verify tickets.
New allow_kdc_spoof overrides this to restore previous behaviour
which was vulnerable to KDC spoofing, because without a host or
service key, pam_krb5 can't distinguish the legitimate KDC from a
spoofed one.
This way, having pam_krb5 enabled isn't dangerous even if you create
an empty /etc/krb5.conf to use client SSO without any host services.
Perhaps this should use krb5_verify_init_creds(3) instead, and
thereby respect the rather obscurely named krb5.conf option
verify_ap_req_nofail like the Linux pam_krb5 does, but:
- verify_ap_req_nofail is default-off (i.e., vulnerable by default),
- changing verify_ap_req_nofail to default-on would probably affect
more things and therefore be riskier,
- allow_kdc_spoof is a much clearer way to spell the idea,
- this patch is a smaller semantic change and thus less risky, and
- a security change with compatibility issues shouldn't have a
workaround that might introduce potentially worse security issues
or more compatibility issues.
Perhaps this should use krb5_verify_user(3) with secure=1 instead,
for simplicity, but it's not clear how to do that without first
prompting for the password -- which we shouldn't do at all if we
later decide we won't be able to use it anyway -- and without
repeating a bunch of the logic here anyway to pick the service name.
References about verify_ap_req_nofail:
- mit-krb5 discussion about verify_ap_req_nofail:
https://mailman.mit.edu/pipermail/krbdev/2011-January/009778.html
- Oracle has the default-secure setting in their krb5 system:
https://docs.oracle.com/cd/E26505_01/html/E27224/setup-148.html
https://docs.oracle.com/cd/E26505_01/html/816-5174/krb5.conf-4.html#REFMAN4krb5.conf-4
https://docs.oracle.com/cd/E19253-01/816-4557/gihyu/
- Heimdal issue on verify_ap_req_nofail default:
https://github.com/heimdal/heimdal/issues/1129
|
| 1.12.16.1 | 21-Jun-2023 |
martin | Pull up following revision(s) (requested by riastradh in ticket #206):
lib/libpam/modules/pam_krb5/pam_krb5.c: revision 1.31
lib/libpam/modules/pam_krb5/pam_krb5.8: revision 1.13
pam_krb5: Refuse to operate without a key to verify tickets.
New allow_kdc_spoof overrides this to restore previous behaviour
which was vulnerable to KDC spoofing, because without a host or
service key, pam_krb5 can't distinguish the legitimate KDC from a
spoofed one.
This way, having pam_krb5 enabled isn't dangerous even if you create
an empty /etc/krb5.conf to use client SSO without any host services.
Perhaps this should use krb5_verify_init_creds(3) instead, and
thereby respect the rather obscurely named krb5.conf option
verify_ap_req_nofail like the Linux pam_krb5 does, but:
- verify_ap_req_nofail is default-off (i.e., vulnerable by default),
- changing verify_ap_req_nofail to default-on would probably affect
more things and therefore be riskier,
- allow_kdc_spoof is a much clearer way to spell the idea,
- this patch is a smaller semantic change and thus less risky, and
- a security change with compatibility issues shouldn't have a
workaround that might introduce potentially worse security issues
or more compatibility issues.
Perhaps this should use krb5_verify_user(3) with secure=1 instead,
for simplicity, but it's not clear how to do that without first
prompting for the password -- which we shouldn't do at all if we
later decide we won't be able to use it anyway -- and without
repeating a bunch of the logic here anyway to pick the service name.
References about verify_ap_req_nofail:
- mit-krb5 discussion about verify_ap_req_nofail:
https://mailman.mit.edu/pipermail/krbdev/2011-January/009778.html
- Oracle has the default-secure setting in their krb5 system:
https://docs.oracle.com/cd/E26505_01/html/E27224/setup-148.html
https://docs.oracle.com/cd/E26505_01/html/816-5174/krb5.conf-4.html#REFMAN4krb5.conf-4
https://docs.oracle.com/cd/E19253-01/816-4557/gihyu/
- Heimdal issue on verify_ap_req_nofail default:
https://github.com/heimdal/heimdal/issues/1129
|
| 1.12.8.1 | 21-Jun-2023 |
martin | Pull up following revision(s) (requested by riastradh in ticket #1652):
lib/libpam/modules/pam_krb5/pam_krb5.c: revision 1.31
lib/libpam/modules/pam_krb5/pam_krb5.8: revision 1.13
pam_krb5: Refuse to operate without a key to verify tickets.
New allow_kdc_spoof overrides this to restore previous behaviour
which was vulnerable to KDC spoofing, because without a host or
service key, pam_krb5 can't distinguish the legitimate KDC from a
spoofed one.
This way, having pam_krb5 enabled isn't dangerous even if you create
an empty /etc/krb5.conf to use client SSO without any host services.
Perhaps this should use krb5_verify_init_creds(3) instead, and
thereby respect the rather obscurely named krb5.conf option
verify_ap_req_nofail like the Linux pam_krb5 does, but:
- verify_ap_req_nofail is default-off (i.e., vulnerable by default),
- changing verify_ap_req_nofail to default-on would probably affect
more things and therefore be riskier,
- allow_kdc_spoof is a much clearer way to spell the idea,
- this patch is a smaller semantic change and thus less risky, and
- a security change with compatibility issues shouldn't have a
workaround that might introduce potentially worse security issues
or more compatibility issues.
Perhaps this should use krb5_verify_user(3) with secure=1 instead,
for simplicity, but it's not clear how to do that without first
prompting for the password -- which we shouldn't do at all if we
later decide we won't be able to use it anyway -- and without
repeating a bunch of the logic here anyway to pick the service name.
References about verify_ap_req_nofail:
- mit-krb5 discussion about verify_ap_req_nofail:
https://mailman.mit.edu/pipermail/krbdev/2011-January/009778.html
- Oracle has the default-secure setting in their krb5 system:
https://docs.oracle.com/cd/E26505_01/html/E27224/setup-148.html
https://docs.oracle.com/cd/E26505_01/html/816-5174/krb5.conf-4.html#REFMAN4krb5.conf-4
https://docs.oracle.com/cd/E19253-01/816-4557/gihyu/
- Heimdal issue on verify_ap_req_nofail default:
https://github.com/heimdal/heimdal/issues/1129
|
| 1.32 | 28-Sep-2023 |
riastradh | pam_krb5: Fix PR lib/57631.
Loose ends in the fix for NetBSD-SA2023-006 that weren't caught by
review or, somehow, by my own testing. Evidently we need automatic
tests for this pam business.
XXX pullup-10
XXX pullup-9
XXX pullup-8
|
| 1.31 | 20-Jun-2023 |
riastradh | pam_krb5: Refuse to operate without a key to verify tickets.
New allow_kdc_spoof overrides this to restore previous behaviour
which was vulnerable to KDC spoofing, because without a host or
service key, pam_krb5 can't distinguish the legitimate KDC from a
spoofed one.
This way, having pam_krb5 enabled isn't dangerous even if you create
an empty /etc/krb5.conf to use client SSO without any host services.
Perhaps this should use krb5_verify_init_creds(3) instead, and
thereby respect the rather obscurely named krb5.conf option
verify_ap_req_nofail like the Linux pam_krb5 does, but:
- verify_ap_req_nofail is default-off (i.e., vulnerable by default),
- changing verify_ap_req_nofail to default-on would probably affect
more things and therefore be riskier,
- allow_kdc_spoof is a much clearer way to spell the idea,
- this patch is a smaller semantic change and thus less risky, and
- a security change with compatibility issues shouldn't have a
workaround that might introduce potentially worse security issues
or more compatibility issues.
Perhaps this should use krb5_verify_user(3) with secure=1 instead,
for simplicity, but it's not clear how to do that without first
prompting for the password -- which we shouldn't do at all if we
later decide we won't be able to use it anyway -- and without
repeating a bunch of the logic here anyway to pick the service name.
References about verify_ap_req_nofail:
- mit-krb5 discussion about verify_ap_req_nofail:
https://mailman.mit.edu/pipermail/krbdev/2011-January/009778.html
- Oracle has the default-secure setting in their krb5 system:
https://docs.oracle.com/cd/E26505_01/html/E27224/setup-148.html
https://docs.oracle.com/cd/E26505_01/html/816-5174/krb5.conf-4.html#REFMAN4krb5.conf-4
https://docs.oracle.com/cd/E19253-01/816-4557/gihyu/
- Heimdal issue on verify_ap_req_nofail default:
https://github.com/heimdal/heimdal/issues/1129
|
| 1.30 | 16-Jan-2022 |
rillig | branches: 1.30.2;
libpam: remove stray semicolon
No binary change.
|
| 1.29 | 12-Jun-2020 |
fox | lib/libpam: Fix the possible -Werror=stringop-truncation
Replace strncpy(3) with the safer strlcpy(3) and adjust the code.
Error was reported when build.sh was run with MKLIBCSANITIZER=yes flag.
Reviewed by: kamil@, christos@
|
| 1.28 | 07-Feb-2020 |
christos | there is no potential overflow anymore (thanks Kamil)
|
| 1.27 | 07-Feb-2020 |
christos | stop using sprintf and check for buffer overflow.
|
| 1.26 | 28-Dec-2013 |
christos | branches: 1.26.18; 1.26.26; 1.26.28;
avoid using freed pointers and non-format strings
|
| 1.25 | 25-Apr-2011 |
christos | branches: 1.25.4; 1.25.10;
- make log_krb5 varyadic
- centralize error handling to one function
- check for NULL context
|
| 1.24 | 24-Apr-2011 |
elric | Remove use of functions marked as deprecated in Heimdal.
|
| 1.23 | 02-Apr-2011 |
mbalmer | Fix misplaced parenthesis, from henning.petersen@t-online.de, thanks.
|
| 1.22 | 08-Mar-2009 |
christos | consistency in password prompt setting code (and with ssh)
|
| 1.21 | 27-Jan-2008 |
christos | branches: 1.21.12;
Fix compilation
|
| 1.20 | 10-Mar-2007 |
christos | branches: 1.20.4;
off by one, reported by jukka salmi.
|
| 1.19 | 10-Mar-2007 |
christos | PR/35968: Jukka Salmi: add option to pam_krb5(8) to request renewable tickets
|
| 1.18 | 03-Nov-2006 |
christos | init the syslog data.
|
| 1.17 | 03-Nov-2006 |
christos | use the re-entrant syslog functions so that we don't depend on the syslog
settings of the calling program.
|
| 1.16 | 25-May-2006 |
christos | Coverity CID 3783: Fix uninit variable.
|
| 1.15 | 23-May-2006 |
christos | Coverity CID 3677: Plug memory leak
|
| 1.14 | 19-Mar-2006 |
christos | Coverity CID 1909: Prevent memory leak.
|
| 1.13 | 19-Mar-2006 |
christos | Coverity CID 2480: Move variable initialization higher up to prevent
uninitialized access during error cleanup.
|
| 1.12 | 19-Mar-2006 |
christos | Coverity CID 2481: Move initialization of variable higher up to prevent
uninitialized access in error path.
|
| 1.11 | 19-Mar-2006 |
christos | Coverity CID 2595: Don't call cc_destroy after cc_close because cc_close
free's the second argument.
|
| 1.10 | 27-Sep-2005 |
tsarna | Implement PAM_REFRESH_CRED / PAM_REINITIALIZE_CRED
support in pam_sm_setcred()
With this and a suitably pam-aware screen locker (eg xscreensaver built
with PAM), you now get the nice Windows-style behavior of having
your tickets refreshed (and tokens, with pam_afslog) when you unlock
your screen.
|
| 1.9 | 19-Apr-2005 |
lukem | getpw*_r() may return 0 and set pwd==NULL
|
| 1.8 | 19-Apr-2005 |
christos | check for pwd != in getpw*_r functions.
|
| 1.7 | 31-Mar-2005 |
thorpej | Use getpwnam_r().
|
| 1.6 | 26-Feb-2005 |
thorpej | branches: 1.6.2;
Place some limits on the creds acquired for password change. Other
minor cleanup inspired by passwd(1).
|
| 1.5 | 26-Feb-2005 |
thorpej | Use the more familar princ@realm style of password prompt.
|
| 1.4 | 26-Feb-2005 |
thorpej | Check for PAM_PRELIM_CHECK and simply do nothing. (Did this even work
in FreeBSD?)
|
| 1.3 | 26-Feb-2005 |
thorpej | Merge PAM20050226.
|
| 1.2 | 12-Dec-2004 |
christos | - NetBSD build glue
- Warning fixes
- RCSID's
|
| 1.1 | 12-Dec-2004 |
christos | branches: 1.1.1;
Initial revision
|
| 1.1.1.2 | 26-Feb-2005 |
thorpej | Import FreeBSD's PAM modules corresponding to the ones we currently
support as of today (20050226). This brings in some fixes to a few
of the PAM modules.
|
| 1.1.1.1 | 12-Dec-2004 |
christos | - Import freebsd's version of libpam as of today (20041212).
- Did not import opie, passwdqc, tacplus. We need to decide what to do
with them.
- Imported radius and ssh, although they will not work until we
import libradius and re-structure our tree to install libssh.
|
| 1.6.2.4 | 05-Jan-2007 |
tron | Apply patch (request by ghen in ticket #1617):
Update OpenPAM to 20050616 ("Figwort") and add the pam_afslog(8)
authentication module.
|
| 1.6.2.3 | 11-Jul-2005 |
tron | Pull up revision 1.9 (requested by lukem in ticket #539):
getpw*_r() may return 0 and set pwd==NULL
|
| 1.6.2.2 | 11-Jul-2005 |
tron | Pull up revision 1.8 (requested by lukem in ticket #539):
check for pwd != in getpw*_r functions.
|
| 1.6.2.1 | 04-Apr-2005 |
tron | Pull up revision 1.7 (requested by thorpej in ticket #96):
Use getpwnam_r().
|
| 1.20.4.1 | 23-Mar-2008 |
matt | sync with HEAD
|
| 1.21.12.1 | 13-May-2009 |
jym | Sync with HEAD.
Third (and last) commit. See http://mail-index.netbsd.org/source-changes/2009/05/13/msg221222.html
|
| 1.25.10.1 | 20-Aug-2014 |
tls | Rebase to HEAD as of a few days ago.
|
| 1.25.4.1 | 22-May-2014 |
yamt | sync with head.
for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.
this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
|
| 1.26.28.2 | 02-Oct-2023 |
martin | Pull up following revision(s) (requested by riastradh in ticket #1734):
lib/libpam/modules/pam_krb5/pam_krb5.c: revision 1.32
pam_krb5: Fix PR lib/57631.
Loose ends in the fix for NetBSD-SA2023-006 that weren't caught by
review or, somehow, by my own testing. Evidently we need automatic
tests for this pam business.
|
| 1.26.28.1 | 21-Jun-2023 |
martin | Pull up following revision(s) (requested by riastradh in ticket #1652):
lib/libpam/modules/pam_krb5/pam_krb5.c: revision 1.31
lib/libpam/modules/pam_krb5/pam_krb5.8: revision 1.13
pam_krb5: Refuse to operate without a key to verify tickets.
New allow_kdc_spoof overrides this to restore previous behaviour
which was vulnerable to KDC spoofing, because without a host or
service key, pam_krb5 can't distinguish the legitimate KDC from a
spoofed one.
This way, having pam_krb5 enabled isn't dangerous even if you create
an empty /etc/krb5.conf to use client SSO without any host services.
Perhaps this should use krb5_verify_init_creds(3) instead, and
thereby respect the rather obscurely named krb5.conf option
verify_ap_req_nofail like the Linux pam_krb5 does, but:
- verify_ap_req_nofail is default-off (i.e., vulnerable by default),
- changing verify_ap_req_nofail to default-on would probably affect
more things and therefore be riskier,
- allow_kdc_spoof is a much clearer way to spell the idea,
- this patch is a smaller semantic change and thus less risky, and
- a security change with compatibility issues shouldn't have a
workaround that might introduce potentially worse security issues
or more compatibility issues.
Perhaps this should use krb5_verify_user(3) with secure=1 instead,
for simplicity, but it's not clear how to do that without first
prompting for the password -- which we shouldn't do at all if we
later decide we won't be able to use it anyway -- and without
repeating a bunch of the logic here anyway to pick the service name.
References about verify_ap_req_nofail:
- mit-krb5 discussion about verify_ap_req_nofail:
https://mailman.mit.edu/pipermail/krbdev/2011-January/009778.html
- Oracle has the default-secure setting in their krb5 system:
https://docs.oracle.com/cd/E26505_01/html/E27224/setup-148.html
https://docs.oracle.com/cd/E26505_01/html/816-5174/krb5.conf-4.html#REFMAN4krb5.conf-4
https://docs.oracle.com/cd/E19253-01/816-4557/gihyu/
- Heimdal issue on verify_ap_req_nofail default:
https://github.com/heimdal/heimdal/issues/1129
|
| 1.26.26.1 | 08-Apr-2020 |
martin | Merge changes from current as of 20200406
|
| 1.26.18.2 | 02-Oct-2023 |
martin | Pull up following revision(s) (requested by riastradh in ticket #1898):
lib/libpam/modules/pam_krb5/pam_krb5.c: revision 1.32
pam_krb5: Fix PR lib/57631.
Loose ends in the fix for NetBSD-SA2023-006 that weren't caught by
review or, somehow, by my own testing. Evidently we need automatic
tests for this pam business.
|
| 1.26.18.1 | 21-Jun-2023 |
martin | Pull up following revision(s) (requested by riastradh in ticket #1844):
lib/libpam/modules/pam_krb5/pam_krb5.c: revision 1.31
lib/libpam/modules/pam_krb5/pam_krb5.8: revision 1.13
pam_krb5: Refuse to operate without a key to verify tickets.
New allow_kdc_spoof overrides this to restore previous behaviour
which was vulnerable to KDC spoofing, because without a host or
service key, pam_krb5 can't distinguish the legitimate KDC from a
spoofed one.
This way, having pam_krb5 enabled isn't dangerous even if you create
an empty /etc/krb5.conf to use client SSO without any host services.
Perhaps this should use krb5_verify_init_creds(3) instead, and
thereby respect the rather obscurely named krb5.conf option
verify_ap_req_nofail like the Linux pam_krb5 does, but:
- verify_ap_req_nofail is default-off (i.e., vulnerable by default),
- changing verify_ap_req_nofail to default-on would probably affect
more things and therefore be riskier,
- allow_kdc_spoof is a much clearer way to spell the idea,
- this patch is a smaller semantic change and thus less risky, and
- a security change with compatibility issues shouldn't have a
workaround that might introduce potentially worse security issues
or more compatibility issues.
Perhaps this should use krb5_verify_user(3) with secure=1 instead,
for simplicity, but it's not clear how to do that without first
prompting for the password -- which we shouldn't do at all if we
later decide we won't be able to use it anyway -- and without
repeating a bunch of the logic here anyway to pick the service name.
References about verify_ap_req_nofail:
- mit-krb5 discussion about verify_ap_req_nofail:
https://mailman.mit.edu/pipermail/krbdev/2011-January/009778.html
- Oracle has the default-secure setting in their krb5 system:
https://docs.oracle.com/cd/E26505_01/html/E27224/setup-148.html
https://docs.oracle.com/cd/E26505_01/html/816-5174/krb5.conf-4.html#REFMAN4krb5.conf-4
https://docs.oracle.com/cd/E19253-01/816-4557/gihyu/
- Heimdal issue on verify_ap_req_nofail default:
https://github.com/heimdal/heimdal/issues/1129
|
| 1.30.2.2 | 02-Oct-2023 |
martin | Pull up following revision(s) (requested by riastradh in ticket #380):
lib/libpam/modules/pam_krb5/pam_krb5.c: revision 1.32
pam_krb5: Fix PR lib/57631.
Loose ends in the fix for NetBSD-SA2023-006 that weren't caught by
review or, somehow, by my own testing. Evidently we need automatic
tests for this pam business.
|
| 1.30.2.1 | 21-Jun-2023 |
martin | Pull up following revision(s) (requested by riastradh in ticket #206):
lib/libpam/modules/pam_krb5/pam_krb5.c: revision 1.31
lib/libpam/modules/pam_krb5/pam_krb5.8: revision 1.13
pam_krb5: Refuse to operate without a key to verify tickets.
New allow_kdc_spoof overrides this to restore previous behaviour
which was vulnerable to KDC spoofing, because without a host or
service key, pam_krb5 can't distinguish the legitimate KDC from a
spoofed one.
This way, having pam_krb5 enabled isn't dangerous even if you create
an empty /etc/krb5.conf to use client SSO without any host services.
Perhaps this should use krb5_verify_init_creds(3) instead, and
thereby respect the rather obscurely named krb5.conf option
verify_ap_req_nofail like the Linux pam_krb5 does, but:
- verify_ap_req_nofail is default-off (i.e., vulnerable by default),
- changing verify_ap_req_nofail to default-on would probably affect
more things and therefore be riskier,
- allow_kdc_spoof is a much clearer way to spell the idea,
- this patch is a smaller semantic change and thus less risky, and
- a security change with compatibility issues shouldn't have a
workaround that might introduce potentially worse security issues
or more compatibility issues.
Perhaps this should use krb5_verify_user(3) with secure=1 instead,
for simplicity, but it's not clear how to do that without first
prompting for the password -- which we shouldn't do at all if we
later decide we won't be able to use it anyway -- and without
repeating a bunch of the logic here anyway to pick the service name.
References about verify_ap_req_nofail:
- mit-krb5 discussion about verify_ap_req_nofail:
https://mailman.mit.edu/pipermail/krbdev/2011-January/009778.html
- Oracle has the default-secure setting in their krb5 system:
https://docs.oracle.com/cd/E26505_01/html/E27224/setup-148.html
https://docs.oracle.com/cd/E26505_01/html/816-5174/krb5.conf-4.html#REFMAN4krb5.conf-4
https://docs.oracle.com/cd/E19253-01/816-4557/gihyu/
- Heimdal issue on verify_ap_req_nofail default:
https://github.com/heimdal/heimdal/issues/1129
|
