diff options
Diffstat (limited to 'contrib/pam-krb5')
| -rw-r--r-- | contrib/pam-krb5/docs/pam_krb5.pod | 15 | ||||
| -rw-r--r-- | contrib/pam-krb5/module/auth.c | 6 | ||||
| -rw-r--r-- | contrib/pam-krb5/module/internal.h | 3 | ||||
| -rw-r--r-- | contrib/pam-krb5/module/options.c | 3 |
4 files changed, 21 insertions, 6 deletions
diff --git a/contrib/pam-krb5/docs/pam_krb5.pod b/contrib/pam-krb5/docs/pam_krb5.pod index 024584dfd4cd..f352af71b553 100644 --- a/contrib/pam-krb5/docs/pam_krb5.pod +++ b/contrib/pam-krb5/docs/pam_krb5.pod @@ -57,12 +57,10 @@ is vulnerable to KDC spoofing, but it requires that the system have a local key and that the PAM module be running as a user that can read the keytab file (normally F</etc/krb5.keytab>. You can point the Kerberos PAM module at a different keytab with the I<keytab> option. If that keytab -cannot be read or if no keys are found in it, the default (potentially -insecure) behavior is to skip this check. If you want to instead fail -authentication if the obtained tickets cannot be checked, set -C<verify_ap_req_nofail> to true in the [libdefaults] section of -F</etc/krb5.conf>. Note that this will affect applications other than -this PAM module. +cannot be read or if no keys are found in it, the default behavior is to +fail authentication. If you want to skip this check, set the +C<allow_kdc_spoof> option to true either in the [appdefaults] section of +F</etc/krb5.conf> or in the PAM policy. By default, whenever the user is authenticated, a basic authorization check will also be done using krb5_kuserok(). The default behavior of @@ -218,6 +216,11 @@ pam-krb5 in which that option was added with the current meaning. =over 4 +=item allow_kdc_spoof + +Allow authentication to succeed even if there is no host or service +key available in a keytab to authenticate the Kerberos KDC's ticket. + =item alt_auth_map=<format> [3.12] This functions similarly to the I<search_k5login> option. The diff --git a/contrib/pam-krb5/module/auth.c b/contrib/pam-krb5/module/auth.c index 065ce97b6596..46f2be791000 100644 --- a/contrib/pam-krb5/module/auth.c +++ b/contrib/pam-krb5/module/auth.c @@ -696,6 +696,12 @@ verify_creds(struct pam_args *args, krb5_creds *creds) if (cursor_valid) krb5_kt_end_seq_get(c, keytab, &cursor); } +#ifdef __FreeBSD__ + if (args->config->allow_kdc_spoof) + opts.flags &= ~KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL; + else + opts.flags |= KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL; +#endif /* __FreeBSD__ */ retval = krb5_verify_init_creds(c, creds, princ, keytab, NULL, &opts); if (retval != 0) putil_err_krb5(args, retval, "credential verification failed"); diff --git a/contrib/pam-krb5/module/internal.h b/contrib/pam-krb5/module/internal.h index f3ea30139815..c797f7a56cd3 100644 --- a/contrib/pam-krb5/module/internal.h +++ b/contrib/pam-krb5/module/internal.h @@ -62,6 +62,9 @@ struct pam_config { long minimum_uid; /* Ignore users below this UID. */ bool only_alt_auth; /* Alt principal must be used. */ bool search_k5login; /* Try password with each line of .k5login. */ +#ifdef __FreeBSD__ + bool allow_kdc_spoof;/* Allow auth even if KDC cannot be verified */ +#endif /* __FreeBSD__ */ /* Kerberos behavior. */ char *fast_ccache; /* Cache containing armor ticket. */ diff --git a/contrib/pam-krb5/module/options.c b/contrib/pam-krb5/module/options.c index 799b3a33e168..0118fb451af6 100644 --- a/contrib/pam-krb5/module/options.c +++ b/contrib/pam-krb5/module/options.c @@ -30,6 +30,9 @@ #define K(name) (#name), offsetof(struct pam_config, name) /* clang-format off */ static const struct option options[] = { +#ifdef __FreeBSD__ + { K(allow_kdc_spoof), true, BOOL (false) }, +#endif /* __FreeBSD__ */ { K(alt_auth_map), true, STRING (NULL) }, { K(anon_fast), true, BOOL (false) }, { K(banner), true, STRING ("Kerberos") }, |