CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit

author	Cy Schubert <cy@FreeBSD.org>
	Wed, 31 May 2023 19:20:27 +0000 (12:20 -0700)
committer	Gordon Tetlow <gordon@FreeBSD.org>
	Wed, 21 Jun 2023 05:27:22 +0000 (22:27 -0700)
commit	07e3f54f2ea1a9c5c5e643155994eeec912d16d7
tree	6d68414e8effa2027aa19fc3de61a22eedc3fe2a	tree \| snapshot
parent	bc61a15ededc1b49ea183b1d23b8bcdbee64d99f	commit \| diff

pam_krb5: Fix spoofing vulnerability

An adversary on the network can log in via ssh as any user by spoofing
the KDC. When the machine has a keytab installed the keytab is used to
verify the service ticket. However, without a keytab there is no way
for pam_krb5 to verify the KDC's response and get a TGT with the
password.

If both the password _and_ the KDC are controlled by an adversary, the
adversary can provide a password that the adversary's spoofed KDC will
return a valid tgt for. Currently, without a keytab, pam_krb5 is
vulnerable to this attack.

Reported by: Taylor R Campbell <riastradh@netbsd.org> via emaste@
Reviewed by: so
Approved by: so
Security: FreeBSD-SA-23:04.pam_krb5
Security: CVE-2023-3326

(cherry picked from commit 813847e49e35439ba5d7bf16034b0691312068a4)
(cherry picked from commit 6322a6c9daaabbf0b5d17c5d5a4f245f474a7e30)

lib/libpam/modules/pam_krb5/pam_krb5.8		diff \| blob \| history
lib/libpam/modules/pam_krb5/pam_krb5.c		diff \| blob \| history