CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit

author	Cy Schubert <cy@FreeBSD.org>
	Wed, 31 May 2023 19:20:27 +0000 (12:20 -0700)
committer	Gordon Tetlow <gordon@FreeBSD.org>
	Wed, 21 Jun 2023 05:19:47 +0000 (22:19 -0700)
commit	813847e49e35439ba5d7bf16034b0691312068a4
tree	0a48a18e6102124fbf986bba4d7390c82e19b211	tree \| snapshot
parent	1efa7dbc0798ee883e4e5d7127161032186829e2	commit \| diff

pam_krb5: Fix spoofing vulnerability

An adversary on the network can log in via ssh as any user by spoofing
the KDC. When the machine has a keytab installed the keytab is used to
verify the service ticket. However, without a keytab there is no way
for pam_krb5 to verify the KDC's response and get a TGT with the
password.

If both the password _and_ the KDC are controlled by an adversary, the
adversary can provide a password that the adversary's spoofed KDC will
return a valid tgt for. Currently, without a keytab, pam_krb5 is
vulnerable to this attack.

Reported by: Taylor R Campbell <riastradh@netbsd.org> via emaste@
Reviewed by: so
Approved by: so
Security: FreeBSD-SA-23:04.pam_krb5
Security: CVE-2023-3326

lib/libpam/modules/pam_krb5/pam_krb5.8		diff \| blob \| history
lib/libpam/modules/pam_krb5/pam_krb5.c		diff \| blob \| history