Date: Mon, 24 Nov 2025 03:15:35 +0000 Message-ID: <6923cdd7.3014c.55ed939f@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/15 has been updated by des: URL: https://cgit.FreeBSD.org/src/commit/?id=2eb030d1c8f1f307c2e0570538633d4e0822a4ff commit 2eb030d1c8f1f307c2e0570538633d4e0822a4ff Author: Dag-Erling Smørgrav <des@FreeBSD.org> AuthorDate: 2025-11-24 02:40:29 +0000 Commit: Dag-Erling Smørgrav <des@FreeBSD.org> CommitDate: 2025-11-24 02:42:30 +0000 pam_krb5: Restore allow_kdc_spoof option Not only does the new pam_krb5 module not have the same allow_kdc_spoof option that the old one had, its behavior in this matter defaults to insecure. Reimplement allow_kdc_spoof and switch the default back. Reviewed by: cy Differential Revision: https://reviews.freebsd.org/D53884 (cherry picked from commit fe5c8baf25a5b40285c3ef85b69391d591e4a76c) --- contrib/pam-krb5/docs/pam_krb5.pod | 15 +++++++++------ contrib/pam-krb5/module/auth.c | 6 ++++++ contrib/pam-krb5/module/internal.h | 3 +++ contrib/pam-krb5/module/options.c | 3 +++ 4 files changed, 21 insertions(+), 6 deletions(-) diff --git a/contrib/pam-krb5/docs/pam_krb5.pod b/contrib/pam-krb5/docs/pam_krb5.pod index 024584dfd4cd..f352af71b553 100644 --- a/contrib/pam-krb5/docs/pam_krb5.pod +++ b/contrib/pam-krb5/docs/pam_krb5.pod @@ -57,12 +57,10 @@ is vulnerable to KDC spoofing, but it requires that the system have a local key and that the PAM module be running as a user that can read the keytab file (normally F</etc/krb5.keytab>. You can point the Kerberos PAM module at a different keytab with the I<keytab> option. If that keytab -cannot be read or if no keys are found in it, the default (potentially -insecure) behavior is to skip this check. If you want to instead fail -authentication if the obtained tickets cannot be checked, set -C<verify_ap_req_nofail> to true in the [libdefaults] section of -F</etc/krb5.conf>. Note that this will affect applications other than -this PAM module. +cannot be read or if no keys are found in it, the default behavior is to +fail authentication. If you want to skip this check, set the +C<allow_kdc_spoof> option to true either in the [appdefaults] section of +F</etc/krb5.conf> or in the PAM policy. By default, whenever the user is authenticated, a basic authorization check will also be done using krb5_kuserok(). The default behavior of @@ -218,6 +216,11 @@ pam-krb5 in which that option was added with the current meaning. =over 4 +=item allow_kdc_spoof + +Allow authentication to succeed even if there is no host or service +key available in a keytab to authenticate the Kerberos KDC's ticket. + =item alt_auth_map=<format> [3.12] This functions similarly to the I<search_k5login> option. The diff --git a/contrib/pam-krb5/module/auth.c b/contrib/pam-krb5/module/auth.c index 065ce97b6596..46f2be791000 100644 --- a/contrib/pam-krb5/module/auth.c +++ b/contrib/pam-krb5/module/auth.c @@ -696,6 +696,12 @@ verify_creds(struct pam_args *args, krb5_creds *creds) if (cursor_valid) krb5_kt_end_seq_get(c, keytab, &cursor); } +#ifdef __FreeBSD__ + if (args->config->allow_kdc_spoof) + opts.flags &= ~KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL; + else + opts.flags |= KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL; +#endif /* __FreeBSD__ */ retval = krb5_verify_init_creds(c, creds, princ, keytab, NULL, &opts); if (retval != 0) putil_err_krb5(args, retval, "credential verification failed"); diff --git a/contrib/pam-krb5/module/internal.h b/contrib/pam-krb5/module/internal.h index f3ea30139815..c797f7a56cd3 100644 --- a/contrib/pam-krb5/module/internal.h +++ b/contrib/pam-krb5/module/internal.h @@ -62,6 +62,9 @@ struct pam_config { long minimum_uid; /* Ignore users below this UID. */ bool only_alt_auth; /* Alt principal must be used. */ bool search_k5login; /* Try password with each line of .k5login. */ +#ifdef __FreeBSD__ + bool allow_kdc_spoof;/* Allow auth even if KDC cannot be verified */ +#endif /* __FreeBSD__ */ /* Kerberos behavior. */ char *fast_ccache; /* Cache containing armor ticket. */ diff --git a/contrib/pam-krb5/module/options.c b/contrib/pam-krb5/module/options.c index 799b3a33e168..0118fb451af6 100644 --- a/contrib/pam-krb5/module/options.c +++ b/contrib/pam-krb5/module/options.c @@ -30,6 +30,9 @@ #define K(name) (#name), offsetof(struct pam_config, name) /* clang-format off */ static const struct option options[] = { +#ifdef __FreeBSD__ + { K(allow_kdc_spoof), true, BOOL (false) }, +#endif /* __FreeBSD__ */ { K(alt_auth_map), true, STRING (NULL) }, { K(anon_fast), true, BOOL (false) }, { K(banner), true, STRING ("Kerberos") },
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6923cdd7.3014c.55ed939f>