-
Notifications
You must be signed in to change notification settings - Fork 177
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Method to check quickly whether krb5_kuserok or krb5_verify_init_creds could ever pass? #1157
Comments
What does |
Accessing
So there's a system keytab but no Determining what the "default realm" is in a zero-conf way is hard, and possibly the hardest zero-conf problem facing Heimdal and MIT Kerberos. We should really dispense with the concept of trying to determine it. If you enter a principal name not qualified by a realm name and the host does not know anything like a |
Decides whether a calling user is authorized to switch to a target user with su(1).
True. A reliable way to avoid both problems would be to disable pam_ksu. But it is on by default in NetBSD and has been for a long time; whether to disable it by default is a separate issue.
No, other way around: there is a ~/.krb5/config (or /etc/krb5.conf) but no system keytab and no /root/.k5login. The scenario is that I'm using krb5 purely for client-side SSO on my laptop to authenticate to remote systems, but creating ~/.krb5/config for that purpose had the side effect of making local su(1) hang waiting for network access. |
Ouch. That's very painful. A bit of a deadly embrace. Hmmm. Also, it seems like a very bad idea for
Is |
I thought about that, but the main risk I see is that parsing user-controlled input is fraught with peril. I would hope that the Heimdal krb5.conf parser is robust, of course, but perhaps that's naive optimism shining through. Are there other risks than that? Surely, even if the user's ~/.krb5/config file points to a malicious KDC, nothing should be able to bypass (a) /root/.k5login, or (b) krb5_verify_initial_creds with /etc/keytab, right?
This logic appears to be new since Heimdal 7.7.0, which is what NetBSD currently ships with. (To be updated soon, probably once the openssl3 dust settles.) That said, ~/.krb5/config aside, it would be nice if an empty /etc/krb5.conf could enable seamless client-side SSO without triggering any similar misbehaviour. |
Apart from parsing robustness concerns one might have to think about how any of the many parameters in the configuration might affect
I see. Well, we really need to do an 8.0 release. The issues w.r.t. kinit and cache collections are among the blocking issues. In the meantime, I'd advise backporting
Even a missing |
I gave this some thought quite some time ago w.r.t. NetBSD's behaviour vis a vis Kerberos. I have always felt deeply unsatisfied that the presence of |
NetBSD's PAM stack also should not be reaching through the layers of abstration. Assuming that |
Yes. I'm trying to shake out all the issues that get in the way of having kinit and client-side SSO just work out of the box with zero configuration.
Personally I have no objection to that. Of course, this poses compatibility issues for anyone who has been using pam_ksu (and, similarly, pam_krb5) for password entry -- an incautious update could lock you out if you relied on that. Probably better to discuss that question in a NetBSD forum like tech-security@ (maybe with a poll of netbsd-users@) rather than here, though! |
Agreed. Essentially, I think that turning on SSO should be a conscious choice by the user and that PAM is the logical place to make said choice as you may very well say: I'd like krb5 for xdm (or display_manager on NetBSD) but not SSH or su. Conditionalising things on I do think, though, that Heimdal could modify |
I'd expect that a True, the |
The NetBSD pam_ksu module has a bug causing su(1) to hang on network access if you have /etc/krb5.conf or ~/.krb5/config, even if the host has no /root/.k5login or keytabs (https://gnats.netbsd.org/57470).
This happens because pam_ksu does various work to determine a default realm and KDC and principal before it can determine whether that principal is authorized by /root/.k5login, via krb5_kuserok, or the user has or can get a valid service ticket, via krb5_verify_init_creds (with ap_req_nofail=1 hard-coded so that there's no exploitable hole).
What's the best way to skip all this early, so that enabling a seamless client-side SSO experience by creating an empty ~/.krb5/config or /etc/krb5.conf doesn't cause hiccups in unrelated things like local su(1) on an otherwise non-kerberized host?
The text was updated successfully, but these errors were encountered: