+++ This bug was initially created as a clone of Bug #2169477 +++ A paper by Tom Tervoort[1] noted that computing the PAC privsvr checksum over only the server checksum is vulnerable to collision attacks. In response, Microsoft has added a second KDC checksum over the full contents of the PAC[2]. This change will be required for PAC signatures to be accepted by AD from the 2023-07-11[3]. [1] https://i.blackhat.com/EU-22/Thursday-Briefings/EU-22-Tervoort-Breaking-Kerberos-RC4-Cipher-and-Spoofing-Windows-PACs-wp.pdf [2] https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-PAC/%5bMS-PAC%5d-20221212-diff.pdf [3] https://support.microsoft.com/en-us/topic/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb
Pull request: https://src.fedoraproject.org/rpms/krb5/pull-request/39
The current backport fails to pass the following upstream test: PYTHONPATH=../util VALGRIND="" python3 ./t_authdata.py *** Failure: expected authdata not seen for basic request *** Last mark: baseline authdata *** Last command (#9): ./adata host/buildvm-a64-19.iad2.fedoraproject.org *** Output of last command: ^-42: Hello, KDC issued acceptor world! ?512: 301EA003020112A1173015A003020110A10E040CACDC98594C36DEF590A3A1D5 For details, see: /builddir/build/BUILD/krb5-1.19.2/src/tests/testlog Or re-run this test script with the -v flag: cd /builddir/build/BUILD/krb5-1.19.2/src/tests PYTHONPATH=/builddir/build/BUILD/krb5-1.19.2/src/util /usr/bin/python3 ./t_authdata.py -v Use --debug=NUM to run a command under a debugger. Use --stop-after=NUM to stop after a daemon is started in order to attach to it with a debugger. Use --help to see other options.
Not supporting the new PAC extended KDC signature would only affect cross-realm resource-based constrained delegation requests between FreeIPA and Active Directory. But this type of requests are not supported by FreeIPA at this point anyway. Hence, backporting this feature to Fedora 37 will not have any benefit.