Bug 2098617

Summary: Harden kerberos ticket validation
Product: Red Hat Enterprise Linux 8 Reporter: Alexey Tikhonov <atikhono>
Component: sssdAssignee: Sumit Bose <sbose>
Status: CLOSED ERRATA QA Contact: shridhar <sgadekar>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.6CC: grajaiya, jhrozek, lslebodn, mzidek, pbrezina, tscherf
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: sssd-2.7.2-1.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-08 10:51:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alexey Tikhonov 2022-06-20 08:14:56 UTC 
This bug was initially created as a copy of Bug #2073095

I am copying this bug because: to track fix for RHEL8



Cloned from upstream https://github.com/SSSD/sssd/issues/5868 :

```
Following suggestions were provided by Samba Team in https://www.samba.org/samba/security/CVE-2020-25721.html
    ```
    In order to avoid issues like CVE-2020-25717 AD Kerberos accepting
    services need access to unique, and ideally long-term stable
    identifiers of a user to perform authorization.

    The AD PAC provides this, but the most useful information is kept in a
    buffer which is NDR encoded, which means that so far in Free Software
    only Samba and applications which use Samba components under the hood
    like FreeIPA and SSSD decode PAC.

    Recognising that the issues seen in Samba are not unique, Samba now
    provides an extension to UPN_DNS_INFO, a component of the AD PAC, in a
    way that can be parsed using basic pointer handling.

    From this, future non-Samba based Kerberised applications can easily obtain
    the user's SID, in the same packing as objectSID in LDAP, confident
    that the ticket represents a specific user, not matter subsequent
    renames.

    This will allow such non-Samba applications to avoid confusing one
    Kerberos user for another, even if they have the same string name (due
    to the gap between time of ticket printing by the KDC and time of
    ticket acceptance).
    ```

It would be great if SSSD would have implemented at least few of these suggestions:
    - verify SID in PAC and new buffers PAC_UPN_DNS_INFO_EX, PAC_ATTRIBUTES_INFO, PAC_REQUESTER_SID, to be consistent with what SSSD knows about the user's objectSID
    - automatically require PAC presence (and validate it) when running with 'ad' provider
    - automatically require PAC presence (and validate it) when running with 'ipa' provider and IPA already issues SIDs to users
    - support global 'require PAC' setting for IPA provider when it is implemented

Additional information:
Microsoft: https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041
Samba Team: https://www.samba.org/samba/latest_news.html#4.15.2
Corresponding FreeIPA ticket: https://pagure.io/freeipa/issue/9031 and pull request: freeipa/freeipa#6076
Comment 1 Alexey Tikhonov 2022-06-20 08:25:39 UTC 
Pushed PR: https://github.com/SSSD/sssd/pull/6071

* `master`
    * 4c7f730b858c09e092cdecec973bd20af32b46d4 - localauth: improve localauth add man page
    * 9c12e962e0fcd6e74c9cc844e2e98e0b0dce79fa - monitor: add implicit_pac_responder option.
    * 30dbecaa9ef6957b74692bf86e34afcf3cafae70 - ad: enable the PAC responder implicitly for AD provider
    * 6970cb1bfd2e50286956ea311167ac77f78c3ee5 - pac: apply new pac check options
    * a28f8a337b9df61615015c045695fd21e9aab13f - krb5: add krb5_check_pac option
    * e57ab1ea5cb0d10e7b689ef72f5862e125bcb17d - tests: add PAC upn_dns_info test
    * 2d52fffdbda1558407fe51b0ad91c0b5bea7bae9 - ad: make new PAC buffers available
* `sssd-2-7`
    * 0dc42cbaa84f45646f6ae13f6ab97a028145498c - localauth: improve localauth add man page
    * fcc1bd84f7e927e2bca9e098c48bd8984c8e398f - monitor: add implicit_pac_responder option.
    * e7163273592eb493c809654908f3904eac2d9c84 - ad: enable the PAC responder implicitly for AD provider
    * 8e265c766c8b1380074026490a5fa8f59d2c4641 - pac: apply new pac check options
    * 1c90333b0241771e227d03b5cbfdc07d00d7a061 - krb5: add krb5_check_pac option
    * d6354e0a9c78281e81adab48a9e3d3f394979891 - tests: add PAC upn_dns_info test
    * a912c1251f0707f4ab5095ad4559823dbbdf0550 - ad: make new PAC buffers available


Additional patch:

Pushed PR: https://github.com/SSSD/sssd/pull/6204

* `master`
    * 55e93cf1cf4d61c6de7975cbdc97a723545586c0 - pac: relax default for pac_check option
* `sssd-2-7`
    * 26d8601e9b4e35ff89ca9fa72b9db05199096b56 - pac: relax default for pac_check option
Comment 8 errata-xmlrpc 2022-11-08 10:51:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7739