5854b73 ipa-kdb: Detect and block Bronze-Bit attacks

4 files Authored by jrische a year ago, Committed by antorres a year ago,
    ipa-kdb: Detect and block Bronze-Bit attacks
    
    The C8S/RHEL8 version of FreeIPA is vulnerable to the Bronze-Bit attack
    because it does not implement PAC ticket signature to protect the
    "forwardable" flag. However, it does implement the PAC extended KDC
    signature, which protects against PAC spoofing.
    
    Based on information available in the PAC and the
    "ok-to-auth-as-delegate" attribute in the database. It is possible to
    detect and reject requests where the "forwardable" flag was flipped by
    the attacker in the evidence ticket.
    
    (cherry picked from commit a847e2483b4c4832ee5129901da169f4eb0d1392)
    
        
file modified
+13 -0
file modified
+173 -0