| History log of /src/lib/libpam/modules/pam_krb5/pam_krb5.c |
| Revision | | Date | Author | Comments |
| 1.32 |
| 28-Sep-2023 |
riastradh | pam_krb5: Fix PR lib/57631.
Loose ends in the fix for NetBSD-SA2023-006 that weren't caught by
review or, somehow, by my own testing. Evidently we need automatic
tests for this pam business.
XXX pullup-10
XXX pullup-9
XXX pullup-8
|
| 1.31 |
| 20-Jun-2023 |
riastradh | pam_krb5: Refuse to operate without a key to verify tickets.
New allow_kdc_spoof overrides this to restore previous behaviour
which was vulnerable to KDC spoofing, because without a host or
service key, pam_krb5 can't distinguish the legitimate KDC from a
spoofed one.
This way, having pam_krb5 enabled isn't dangerous even if you create
an empty /etc/krb5.conf to use client SSO without any host services.
Perhaps this should use krb5_verify_init_creds(3) instead, and
thereby respect the rather obscurely named krb5.conf option
verify_ap_req_nofail like the Linux pam_krb5 does, but:
- verify_ap_req_nofail is default-off (i.e., vulnerable by default),
- changing verify_ap_req_nofail to default-on would probably affect
more things and therefore be riskier,
- allow_kdc_spoof is a much clearer way to spell the idea,
- this patch is a smaller semantic change and thus less risky, and
- a security change with compatibility issues shouldn't have a
workaround that might introduce potentially worse security issues
or more compatibility issues.
Perhaps this should use krb5_verify_user(3) with secure=1 instead,
for simplicity, but it's not clear how to do that without first
prompting for the password -- which we shouldn't do at all if we
later decide we won't be able to use it anyway -- and without
repeating a bunch of the logic here anyway to pick the service name.
References about verify_ap_req_nofail:
- mit-krb5 discussion about verify_ap_req_nofail:
https://mailman.mit.edu/pipermail/krbdev/2011-January/009778.html
- Oracle has the default-secure setting in their krb5 system:
https://docs.oracle.com/cd/E26505_01/html/E27224/setup-148.html
https://docs.oracle.com/cd/E26505_01/html/816-5174/krb5.conf-4.html#REFMAN4krb5.conf-4
https://docs.oracle.com/cd/E19253-01/816-4557/gihyu/
- Heimdal issue on verify_ap_req_nofail default:
https://github.com/heimdal/heimdal/issues/1129
|
| 1.30 |
| 16-Jan-2022 |
rillig | branches: 1.30.2;
libpam: remove stray semicolon
No binary change.
|
| 1.29 |
| 12-Jun-2020 |
fox | lib/libpam: Fix the possible -Werror=stringop-truncation
Replace strncpy(3) with the safer strlcpy(3) and adjust the code.
Error was reported when build.sh was run with MKLIBCSANITIZER=yes flag.
Reviewed by: kamil@, christos@
|
| 1.28 |
| 07-Feb-2020 |
christos | there is no potential overflow anymore (thanks Kamil)
|
| 1.27 |
| 07-Feb-2020 |
christos | stop using sprintf and check for buffer overflow.
|
| 1.26 |
| 28-Dec-2013 |
christos | branches: 1.26.18; 1.26.26; 1.26.28;
avoid using freed pointers and non-format strings
|
| 1.25 |
| 25-Apr-2011 |
christos | branches: 1.25.4; 1.25.10;
- make log_krb5 varyadic
- centralize error handling to one function
- check for NULL context
|
| 1.24 |
| 24-Apr-2011 |
elric | Remove use of functions marked as deprecated in Heimdal.
|
| 1.23 |
| 02-Apr-2011 |
mbalmer | Fix misplaced parenthesis, from henning.petersen@t-online.de, thanks.
|
| 1.22 |
| 08-Mar-2009 |
christos | consistency in password prompt setting code (and with ssh)
|
| 1.21 |
| 27-Jan-2008 |
christos | branches: 1.21.12;
Fix compilation
|
| 1.20 |
| 10-Mar-2007 |
christos | branches: 1.20.4;
off by one, reported by jukka salmi.
|
| 1.19 |
| 10-Mar-2007 |
christos | PR/35968: Jukka Salmi: add option to pam_krb5(8) to request renewable tickets
|
| 1.18 |
| 03-Nov-2006 |
christos | init the syslog data.
|
| 1.17 |
| 03-Nov-2006 |
christos | use the re-entrant syslog functions so that we don't depend on the syslog
settings of the calling program.
|
| 1.16 |
| 25-May-2006 |
christos | Coverity CID 3783: Fix uninit variable.
|
| 1.15 |
| 23-May-2006 |
christos | Coverity CID 3677: Plug memory leak
|
| 1.14 |
| 19-Mar-2006 |
christos | Coverity CID 1909: Prevent memory leak.
|
| 1.13 |
| 19-Mar-2006 |
christos | Coverity CID 2480: Move variable initialization higher up to prevent
uninitialized access during error cleanup.
|
| 1.12 |
| 19-Mar-2006 |
christos | Coverity CID 2481: Move initialization of variable higher up to prevent
uninitialized access in error path.
|
| 1.11 |
| 19-Mar-2006 |
christos | Coverity CID 2595: Don't call cc_destroy after cc_close because cc_close
free's the second argument.
|
| 1.10 |
| 27-Sep-2005 |
tsarna | Implement PAM_REFRESH_CRED / PAM_REINITIALIZE_CRED
support in pam_sm_setcred()
With this and a suitably pam-aware screen locker (eg xscreensaver built
with PAM), you now get the nice Windows-style behavior of having
your tickets refreshed (and tokens, with pam_afslog) when you unlock
your screen.
|
| 1.9 |
| 19-Apr-2005 |
lukem | getpw*_r() may return 0 and set pwd==NULL
|
| 1.8 |
| 19-Apr-2005 |
christos | check for pwd != in getpw*_r functions.
|
| 1.7 |
| 31-Mar-2005 |
thorpej | Use getpwnam_r().
|
| 1.6 |
| 26-Feb-2005 |
thorpej | branches: 1.6.2;
Place some limits on the creds acquired for password change. Other
minor cleanup inspired by passwd(1).
|
| 1.5 |
| 26-Feb-2005 |
thorpej | Use the more familar princ@realm style of password prompt.
|
| 1.4 |
| 26-Feb-2005 |
thorpej | Check for PAM_PRELIM_CHECK and simply do nothing. (Did this even work
in FreeBSD?)
|
| 1.3 |
| 26-Feb-2005 |
thorpej | Merge PAM20050226.
|
| 1.2 |
| 12-Dec-2004 |
christos | - NetBSD build glue
- Warning fixes
- RCSID's
|
| 1.1 |
| 12-Dec-2004 |
christos | branches: 1.1.1;
Initial revision
|
| 1.1.1.2 |
| 26-Feb-2005 |
thorpej | Import FreeBSD's PAM modules corresponding to the ones we currently
support as of today (20050226). This brings in some fixes to a few
of the PAM modules.
|
| 1.1.1.1 |
| 12-Dec-2004 |
christos | - Import freebsd's version of libpam as of today (20041212).
- Did not import opie, passwdqc, tacplus. We need to decide what to do
with them.
- Imported radius and ssh, although they will not work until we
import libradius and re-structure our tree to install libssh.
|
| 1.6.2.4 |
| 05-Jan-2007 |
tron | Apply patch (request by ghen in ticket #1617):
Update OpenPAM to 20050616 ("Figwort") and add the pam_afslog(8)
authentication module.
|
| 1.6.2.3 |
| 11-Jul-2005 |
tron | Pull up revision 1.9 (requested by lukem in ticket #539):
getpw*_r() may return 0 and set pwd==NULL
|
| 1.6.2.2 |
| 11-Jul-2005 |
tron | Pull up revision 1.8 (requested by lukem in ticket #539):
check for pwd != in getpw*_r functions.
|
| 1.6.2.1 |
| 04-Apr-2005 |
tron | Pull up revision 1.7 (requested by thorpej in ticket #96):
Use getpwnam_r().
|
| 1.20.4.1 |
| 23-Mar-2008 |
matt | sync with HEAD
|
| 1.21.12.1 |
| 13-May-2009 |
jym | Sync with HEAD.
Third (and last) commit. See http://mail-index.netbsd.org/source-changes/2009/05/13/msg221222.html
|
| 1.25.10.1 |
| 20-Aug-2014 |
tls | Rebase to HEAD as of a few days ago.
|
| 1.25.4.1 |
| 22-May-2014 |
yamt | sync with head.
for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.
this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
|
| 1.26.28.2 |
| 02-Oct-2023 |
martin | Pull up following revision(s) (requested by riastradh in ticket #1734):
lib/libpam/modules/pam_krb5/pam_krb5.c: revision 1.32
pam_krb5: Fix PR lib/57631.
Loose ends in the fix for NetBSD-SA2023-006 that weren't caught by
review or, somehow, by my own testing. Evidently we need automatic
tests for this pam business.
|
| 1.26.28.1 |
| 21-Jun-2023 |
martin | Pull up following revision(s) (requested by riastradh in ticket #1652):
lib/libpam/modules/pam_krb5/pam_krb5.c: revision 1.31
lib/libpam/modules/pam_krb5/pam_krb5.8: revision 1.13
pam_krb5: Refuse to operate without a key to verify tickets.
New allow_kdc_spoof overrides this to restore previous behaviour
which was vulnerable to KDC spoofing, because without a host or
service key, pam_krb5 can't distinguish the legitimate KDC from a
spoofed one.
This way, having pam_krb5 enabled isn't dangerous even if you create
an empty /etc/krb5.conf to use client SSO without any host services.
Perhaps this should use krb5_verify_init_creds(3) instead, and
thereby respect the rather obscurely named krb5.conf option
verify_ap_req_nofail like the Linux pam_krb5 does, but:
- verify_ap_req_nofail is default-off (i.e., vulnerable by default),
- changing verify_ap_req_nofail to default-on would probably affect
more things and therefore be riskier,
- allow_kdc_spoof is a much clearer way to spell the idea,
- this patch is a smaller semantic change and thus less risky, and
- a security change with compatibility issues shouldn't have a
workaround that might introduce potentially worse security issues
or more compatibility issues.
Perhaps this should use krb5_verify_user(3) with secure=1 instead,
for simplicity, but it's not clear how to do that without first
prompting for the password -- which we shouldn't do at all if we
later decide we won't be able to use it anyway -- and without
repeating a bunch of the logic here anyway to pick the service name.
References about verify_ap_req_nofail:
- mit-krb5 discussion about verify_ap_req_nofail:
https://mailman.mit.edu/pipermail/krbdev/2011-January/009778.html
- Oracle has the default-secure setting in their krb5 system:
https://docs.oracle.com/cd/E26505_01/html/E27224/setup-148.html
https://docs.oracle.com/cd/E26505_01/html/816-5174/krb5.conf-4.html#REFMAN4krb5.conf-4
https://docs.oracle.com/cd/E19253-01/816-4557/gihyu/
- Heimdal issue on verify_ap_req_nofail default:
https://github.com/heimdal/heimdal/issues/1129
|
| 1.26.26.1 |
| 08-Apr-2020 |
martin | Merge changes from current as of 20200406
|
| 1.26.18.2 |
| 02-Oct-2023 |
martin | Pull up following revision(s) (requested by riastradh in ticket #1898):
lib/libpam/modules/pam_krb5/pam_krb5.c: revision 1.32
pam_krb5: Fix PR lib/57631.
Loose ends in the fix for NetBSD-SA2023-006 that weren't caught by
review or, somehow, by my own testing. Evidently we need automatic
tests for this pam business.
|
| 1.26.18.1 |
| 21-Jun-2023 |
martin | Pull up following revision(s) (requested by riastradh in ticket #1844):
lib/libpam/modules/pam_krb5/pam_krb5.c: revision 1.31
lib/libpam/modules/pam_krb5/pam_krb5.8: revision 1.13
pam_krb5: Refuse to operate without a key to verify tickets.
New allow_kdc_spoof overrides this to restore previous behaviour
which was vulnerable to KDC spoofing, because without a host or
service key, pam_krb5 can't distinguish the legitimate KDC from a
spoofed one.
This way, having pam_krb5 enabled isn't dangerous even if you create
an empty /etc/krb5.conf to use client SSO without any host services.
Perhaps this should use krb5_verify_init_creds(3) instead, and
thereby respect the rather obscurely named krb5.conf option
verify_ap_req_nofail like the Linux pam_krb5 does, but:
- verify_ap_req_nofail is default-off (i.e., vulnerable by default),
- changing verify_ap_req_nofail to default-on would probably affect
more things and therefore be riskier,
- allow_kdc_spoof is a much clearer way to spell the idea,
- this patch is a smaller semantic change and thus less risky, and
- a security change with compatibility issues shouldn't have a
workaround that might introduce potentially worse security issues
or more compatibility issues.
Perhaps this should use krb5_verify_user(3) with secure=1 instead,
for simplicity, but it's not clear how to do that without first
prompting for the password -- which we shouldn't do at all if we
later decide we won't be able to use it anyway -- and without
repeating a bunch of the logic here anyway to pick the service name.
References about verify_ap_req_nofail:
- mit-krb5 discussion about verify_ap_req_nofail:
https://mailman.mit.edu/pipermail/krbdev/2011-January/009778.html
- Oracle has the default-secure setting in their krb5 system:
https://docs.oracle.com/cd/E26505_01/html/E27224/setup-148.html
https://docs.oracle.com/cd/E26505_01/html/816-5174/krb5.conf-4.html#REFMAN4krb5.conf-4
https://docs.oracle.com/cd/E19253-01/816-4557/gihyu/
- Heimdal issue on verify_ap_req_nofail default:
https://github.com/heimdal/heimdal/issues/1129
|
| 1.30.2.2 |
| 02-Oct-2023 |
martin | Pull up following revision(s) (requested by riastradh in ticket #380):
lib/libpam/modules/pam_krb5/pam_krb5.c: revision 1.32
pam_krb5: Fix PR lib/57631.
Loose ends in the fix for NetBSD-SA2023-006 that weren't caught by
review or, somehow, by my own testing. Evidently we need automatic
tests for this pam business.
|
| 1.30.2.1 |
| 21-Jun-2023 |
martin | Pull up following revision(s) (requested by riastradh in ticket #206):
lib/libpam/modules/pam_krb5/pam_krb5.c: revision 1.31
lib/libpam/modules/pam_krb5/pam_krb5.8: revision 1.13
pam_krb5: Refuse to operate without a key to verify tickets.
New allow_kdc_spoof overrides this to restore previous behaviour
which was vulnerable to KDC spoofing, because without a host or
service key, pam_krb5 can't distinguish the legitimate KDC from a
spoofed one.
This way, having pam_krb5 enabled isn't dangerous even if you create
an empty /etc/krb5.conf to use client SSO without any host services.
Perhaps this should use krb5_verify_init_creds(3) instead, and
thereby respect the rather obscurely named krb5.conf option
verify_ap_req_nofail like the Linux pam_krb5 does, but:
- verify_ap_req_nofail is default-off (i.e., vulnerable by default),
- changing verify_ap_req_nofail to default-on would probably affect
more things and therefore be riskier,
- allow_kdc_spoof is a much clearer way to spell the idea,
- this patch is a smaller semantic change and thus less risky, and
- a security change with compatibility issues shouldn't have a
workaround that might introduce potentially worse security issues
or more compatibility issues.
Perhaps this should use krb5_verify_user(3) with secure=1 instead,
for simplicity, but it's not clear how to do that without first
prompting for the password -- which we shouldn't do at all if we
later decide we won't be able to use it anyway -- and without
repeating a bunch of the logic here anyway to pick the service name.
References about verify_ap_req_nofail:
- mit-krb5 discussion about verify_ap_req_nofail:
https://mailman.mit.edu/pipermail/krbdev/2011-January/009778.html
- Oracle has the default-secure setting in their krb5 system:
https://docs.oracle.com/cd/E26505_01/html/E27224/setup-148.html
https://docs.oracle.com/cd/E26505_01/html/816-5174/krb5.conf-4.html#REFMAN4krb5.conf-4
https://docs.oracle.com/cd/E19253-01/816-4557/gihyu/
- Heimdal issue on verify_ap_req_nofail default:
https://github.com/heimdal/heimdal/issues/1129
|
