From nobody Mon Nov 24 02:41:09 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dF97933t9z6Hsrg for ; Mon, 24 Nov 2025 02:41:09 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4dF9791lmFz3Mwm for ; Mon, 24 Nov 2025 02:41:09 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1763952069; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Eu9E5CleWNK8UdOmtt4c7rR3obXskPTiw3AZpi/SHyM=; b=kwOyT4CV83iuAtyLSDYlLH/d5XB/hZt9S9JfKK79QKkbo4LwC7s/SPpBTgU77UxttZRISU IyL++CfA04GYmXgvZN3XZ9VSfU6w/rHIiPvVxaBHenWpbibu6ok6FBFlAQIXn7MjWn7os3 9z4qPjyeAiIsJjEngX4I9AAPcfbsJgMi8hIsXurnSV+QHlH2H+lnU5TrPlxb9PfXikKsQR J5hXQdhE/uGY3zkEeH7O/UepOt6sAEm3k2XIBSkWjgGB12UMXm1T4O3wttPaAneymMkLRv jmtDSNwCbVwqENfZP6DUjVoR3DK+nnrAW7qZO1rRuq/eaFaCFlXtNx1GsIKxkQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1763952069; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Eu9E5CleWNK8UdOmtt4c7rR3obXskPTiw3AZpi/SHyM=; b=WGAg3A6uS0cHRv1p0uhW4Mdzd8sgbeyyFu8pdOAy4e/XsFjdUHNLb9pWcRzLfz9Ghr0Vf6 53LC8xicOwTIjGZQ80SArU+0qe9QhYWV6i5D1hT7LUHZnDoyhpvYP2XBGCl2PZtby6Vqvc QUwtzKR3HKEIIMsbnOyc2G2PSmLfOUKduYo2i0CdKYAKdPP5stiYLkazThPxvWWOSEue7H i5OMRnkrXLHUG5owXUv7CPjQrCqMsQ8sVVHXDPzcQZErtZd9JmPgWUaoYpjfQVRZASu/++ /5uiGWrZhDe7g3rx+MkZ/ZqpI2Tq0vZu4RkNR4Cq5adKQQ1EwNIgGtZhVDqHLQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1763952069; a=rsa-sha256; cv=none; b=JM/Jhk23ZvC8mqrKADwse3uXXU2YS3VuSmZdDZr4lv6ifQlPXWsEuJ2mWn4Qk4N6lZWwJX VO2HLapnrs+f9el03S+qQXLWuV4M2KSXBTwONmobUqFzbl8p0kpW+058yxcZbETS+fTiyl p8WsuNUxCNqt8LrW87SOUdWrjqKjxvsZreyIHCec9aV0RVxWa7NjF22mvwg6ZQX7zeY3Li 1ZXKmWMCMWsMUF0EAwJ9q+WEjMT0+aGBnaj8Hs5bnZXeq0SjO7dDEXQ9OrNwKelvf88JRS wKsQKZDoA4kFbA8glmzkPjlJd3xwkvjaJS6QFPNX4WAqbHq/NYPhVf75XIEt2w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4dF97918b5zvv6 for ; Mon, 24 Nov 2025 02:41:09 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 2d2ce by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Mon, 24 Nov 2025 02:41:09 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Dag-Erling=?utf-8?Q? Sm=C3=B8rg?=rav Subject: git: fe5c8baf25a5 - main - pam_krb5: Restore allow_kdc_spoof option List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: des X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: fe5c8baf25a5b40285c3ef85b69391d591e4a76c Auto-Submitted: auto-generated Date: Mon, 24 Nov 2025 02:41:09 +0000 Message-Id: <6923c5c5.2d2ce.369de630@gitrepo.freebsd.org> The branch main has been updated by des: URL: https://cgit.FreeBSD.org/src/commit/?id=fe5c8baf25a5b40285c3ef85b69391d591e4a76c commit fe5c8baf25a5b40285c3ef85b69391d591e4a76c Author: Dag-Erling Smørgrav AuthorDate: 2025-11-24 02:40:29 +0000 Commit: Dag-Erling Smørgrav CommitDate: 2025-11-24 02:40:48 +0000 pam_krb5: Restore allow_kdc_spoof option Not only does the new pam_krb5 module not have the same allow_kdc_spoof option that the old one had, its behavior in this matter defaults to insecure. Reimplement allow_kdc_spoof and switch the default back. Reviewed by: cy Differential Revision: https://reviews.freebsd.org/D53884 --- contrib/pam-krb5/docs/pam_krb5.pod | 15 +++++++++------ contrib/pam-krb5/module/auth.c | 6 ++++++ contrib/pam-krb5/module/internal.h | 3 +++ contrib/pam-krb5/module/options.c | 3 +++ 4 files changed, 21 insertions(+), 6 deletions(-) diff --git a/contrib/pam-krb5/docs/pam_krb5.pod b/contrib/pam-krb5/docs/pam_krb5.pod index 024584dfd4cd..f352af71b553 100644 --- a/contrib/pam-krb5/docs/pam_krb5.pod +++ b/contrib/pam-krb5/docs/pam_krb5.pod @@ -57,12 +57,10 @@ is vulnerable to KDC spoofing, but it requires that the system have a local key and that the PAM module be running as a user that can read the keytab file (normally F. You can point the Kerberos PAM module at a different keytab with the I option. If that keytab -cannot be read or if no keys are found in it, the default (potentially -insecure) behavior is to skip this check. If you want to instead fail -authentication if the obtained tickets cannot be checked, set -C to true in the [libdefaults] section of -F. Note that this will affect applications other than -this PAM module. +cannot be read or if no keys are found in it, the default behavior is to +fail authentication. If you want to skip this check, set the +C option to true either in the [appdefaults] section of +F or in the PAM policy. By default, whenever the user is authenticated, a basic authorization check will also be done using krb5_kuserok(). The default behavior of @@ -218,6 +216,11 @@ pam-krb5 in which that option was added with the current meaning. =over 4 +=item allow_kdc_spoof + +Allow authentication to succeed even if there is no host or service +key available in a keytab to authenticate the Kerberos KDC's ticket. + =item alt_auth_map= [3.12] This functions similarly to the I option. The diff --git a/contrib/pam-krb5/module/auth.c b/contrib/pam-krb5/module/auth.c index 065ce97b6596..46f2be791000 100644 --- a/contrib/pam-krb5/module/auth.c +++ b/contrib/pam-krb5/module/auth.c @@ -696,6 +696,12 @@ verify_creds(struct pam_args *args, krb5_creds *creds) if (cursor_valid) krb5_kt_end_seq_get(c, keytab, &cursor); } +#ifdef __FreeBSD__ + if (args->config->allow_kdc_spoof) + opts.flags &= ~KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL; + else + opts.flags |= KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL; +#endif /* __FreeBSD__ */ retval = krb5_verify_init_creds(c, creds, princ, keytab, NULL, &opts); if (retval != 0) putil_err_krb5(args, retval, "credential verification failed"); diff --git a/contrib/pam-krb5/module/internal.h b/contrib/pam-krb5/module/internal.h index f3ea30139815..c797f7a56cd3 100644 --- a/contrib/pam-krb5/module/internal.h +++ b/contrib/pam-krb5/module/internal.h @@ -62,6 +62,9 @@ struct pam_config { long minimum_uid; /* Ignore users below this UID. */ bool only_alt_auth; /* Alt principal must be used. */ bool search_k5login; /* Try password with each line of .k5login. */ +#ifdef __FreeBSD__ + bool allow_kdc_spoof;/* Allow auth even if KDC cannot be verified */ +#endif /* __FreeBSD__ */ /* Kerberos behavior. */ char *fast_ccache; /* Cache containing armor ticket. */ diff --git a/contrib/pam-krb5/module/options.c b/contrib/pam-krb5/module/options.c index 799b3a33e168..0118fb451af6 100644 --- a/contrib/pam-krb5/module/options.c +++ b/contrib/pam-krb5/module/options.c @@ -30,6 +30,9 @@ #define K(name) (#name), offsetof(struct pam_config, name) /* clang-format off */ static const struct option options[] = { +#ifdef __FreeBSD__ + { K(allow_kdc_spoof), true, BOOL (false) }, +#endif /* __FreeBSD__ */ { K(alt_auth_map), true, STRING (NULL) }, { K(anon_fast), true, BOOL (false) }, { K(banner), true, STRING ("Kerberos") },