2098617 – Harden kerberos ticket validation

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2098617 - Harden kerberos ticket validation

Summary: Harden kerberos ticket validation

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	8.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Sumit Bose
QA Contact:	shridhar
Docs Contact:
URL:
Whiteboard:	sync-to-jira
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-06-20 08:14 UTC by Alexey Tikhonov
Modified:	2022-11-08 12:42 UTC (History)
CC List:	6 users (show)
Fixed In Version:	sssd-2.7.2-1.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-11-08 10:51:32 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 5868	None	closed	Harden kerberos ticket validation	2022-06-20 08:25:39 UTC
Red Hat Issue Tracker	RHELPLAN-125726	None	None	None	2022-06-20 08:21:38 UTC
Red Hat Issue Tracker	SSSD-4831	None	None	None	2022-06-20 08:58:05 UTC
Red Hat Product Errata	RHBA-2022:7739	None	None	None	2022-11-08 10:51:50 UTC

Description Alexey Tikhonov 2022-06-20 08:14:56 UTC

This bug was initially created as a copy of Bug #2073095

I am copying this bug because: to track fix for RHEL8



Cloned from upstream https://github.com/SSSD/sssd/issues/5868 :

```
Following suggestions were provided by Samba Team in https://www.samba.org/samba/security/CVE-2020-25721.html
    ```
    In order to avoid issues like CVE-2020-25717 AD Kerberos accepting
    services need access to unique, and ideally long-term stable
    identifiers of a user to perform authorization.

    The AD PAC provides this, but the most useful information is kept in a
    buffer which is NDR encoded, which means that so far in Free Software
    only Samba and applications which use Samba components under the hood
    like FreeIPA and SSSD decode PAC.

    Recognising that the issues seen in Samba are not unique, Samba now
    provides an extension to UPN_DNS_INFO, a component of the AD PAC, in a
    way that can be parsed using basic pointer handling.

    From this, future non-Samba based Kerberised applications can easily obtain
    the user's SID, in the same packing as objectSID in LDAP, confident
    that the ticket represents a specific user, not matter subsequent
    renames.

    This will allow such non-Samba applications to avoid confusing one
    Kerberos user for another, even if they have the same string name (due
    to the gap between time of ticket printing by the KDC and time of
    ticket acceptance).
    ```

It would be great if SSSD would have implemented at least few of these suggestions:
    - verify SID in PAC and new buffers PAC_UPN_DNS_INFO_EX, PAC_ATTRIBUTES_INFO, PAC_REQUESTER_SID, to be consistent with what SSSD knows about the user's objectSID
    - automatically require PAC presence (and validate it) when running with 'ad' provider
    - automatically require PAC presence (and validate it) when running with 'ipa' provider and IPA already issues SIDs to users
    - support global 'require PAC' setting for IPA provider when it is implemented

Additional information:
Microsoft: https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041
Samba Team: https://www.samba.org/samba/latest_news.html#4.15.2
Corresponding FreeIPA ticket: https://pagure.io/freeipa/issue/9031 and pull request: freeipa/freeipa#6076

Comment 1 Alexey Tikhonov 2022-06-20 08:25:39 UTC

Pushed PR: https://github.com/SSSD/sssd/pull/6071

* `master`
    * 4c7f730b858c09e092cdecec973bd20af32b46d4 - localauth: improve localauth add man page
    * 9c12e962e0fcd6e74c9cc844e2e98e0b0dce79fa - monitor: add implicit_pac_responder option.
    * 30dbecaa9ef6957b74692bf86e34afcf3cafae70 - ad: enable the PAC responder implicitly for AD provider
    * 6970cb1bfd2e50286956ea311167ac77f78c3ee5 - pac: apply new pac check options
    * a28f8a337b9df61615015c045695fd21e9aab13f - krb5: add krb5_check_pac option
    * e57ab1ea5cb0d10e7b689ef72f5862e125bcb17d - tests: add PAC upn_dns_info test
    * 2d52fffdbda1558407fe51b0ad91c0b5bea7bae9 - ad: make new PAC buffers available
* `sssd-2-7`
    * 0dc42cbaa84f45646f6ae13f6ab97a028145498c - localauth: improve localauth add man page
    * fcc1bd84f7e927e2bca9e098c48bd8984c8e398f - monitor: add implicit_pac_responder option.
    * e7163273592eb493c809654908f3904eac2d9c84 - ad: enable the PAC responder implicitly for AD provider
    * 8e265c766c8b1380074026490a5fa8f59d2c4641 - pac: apply new pac check options
    * 1c90333b0241771e227d03b5cbfdc07d00d7a061 - krb5: add krb5_check_pac option
    * d6354e0a9c78281e81adab48a9e3d3f394979891 - tests: add PAC upn_dns_info test
    * a912c1251f0707f4ab5095ad4559823dbbdf0550 - ad: make new PAC buffers available


Additional patch:

Pushed PR: https://github.com/SSSD/sssd/pull/6204

* `master`
    * 55e93cf1cf4d61c6de7975cbdc97a723545586c0 - pac: relax default for pac_check option
* `sssd-2-7`
    * 26d8601e9b4e35ff89ca9fa72b9db05199096b56 - pac: relax default for pac_check option

Comment 8 errata-xmlrpc 2022-11-08 10:51:32 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7739

Note You need to log in before you can comment on or make changes to this bug.