freeipa

Clone
Source Code
GIT

67ca47b ipa-kdb: Ensure Bronze-Bit check can be enabled

3 files Authored by jrische 3 months ago, Committed by frenaud 3 months ago,
raw patch tree parent
3 files changed. 15 lines added. 0 lines removed.
daemons/ipa-kdb/ipa_kdb.h
file modified
+4 -0
daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
file modified
+7 -0
daemons/ipa-kdb/ipa_kdb_mspac.c
file modified
+4 -0 
    ipa-kdb: Ensure Bronze-Bit check can be enabled
    
    MIT krb5 1.19 and older do not implement support for PAC ticket
    signature to protect the encrypted part of tickets. This is the cause of
    the Bronze-Bit vulnerability (CVE-2020-17043). The Bronze-Bit attack
    detection mechanism introduced in a847e248 relies on the content of the
    PAC.
    
    However, since CVE-2022-37967, the content of the PAC can no longer be
    trusted if the KDC does not support PAC extended KDC signature (aka.
    PAC full checksum). This signature is supported in MIT krb5 since
    version 1.21.
    
    Support for the PAC extended KDC signature was backported downstream to
    krb5 1.18.2 for CentOS 8 Stream (dist-git commit 7d215a54). This makes
    the content of the PAC still trustworthy there.
    
    This commit disables the Bronze-Bit attack detection mechanism at build
    time in case krb5 does not provide the krb5_pac_full_sign_compat()
    function.
    
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
file modified
+4 -0
file modified
+7 -0
file modified
+4 -0
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.