+++ This bug was initially created as a clone of Bug #2176406 +++ Support for the PAC extended KDC signature (or "full PAC checksum") has recently been implemented upstream[1] for MIT Kerberos. The fix for bug 2169477 backports the krb5_kdc_sign_ticket() function[2] to krb5 1.18.2. This function is a replacement for krb5_pac_sign() and krb5_pac_sign_ext() functions[3], which are currently used in IPA 4.9.11[4]. These two functions do not generate the extended KDC signature, only krb5_kdc_sign_ticket() does. This is the reason why we are backporting it. The krb5_kdc_sign_ticket() function was initially introduced[5] to support the new "ticket signature" which was introduced by Microsoft[6] to mitigate CVE-2020-17049 (bronze bit attack). This is the reason why this function expects a krb5_enc_tkt_part[7] parameter representing the encrypted part of the ticket out of which the "ticket signature" is generated. So, the krb5_kdc_sign_ticket() function generates both the "ticket signature" and the "extended KDC signature", and needs the encrypted part of the ticket. However, on IPA 4.9.11 the PAC is generated by setting the sign_authdata() callback[8][9]. This callback does not provide the ticket's encrypted part as parameter, making krb5_kdc_sign_ticket() not usable in practice. To be mentioned that, according to the document[10] that made CVE-2022-37967 public, the ticket signature does not have to be present for the PAC to be accepted. [1] https://github.com/krb5/krb5/commit/4602a10dbe380d75d1ec00f7d34479ac9d503735 [2] https://github.com/krb5/krb5/blob/e35b32f81f9defbcce4f2398d93a975ffb807ee7/src/include/krb5/krb5.hin#L8365-L8393 [3] https://github.com/krb5/krb5/blob/e35b32f81f9defbcce4f2398d93a975ffb807ee7/src/include/krb5/krb5.hin#L8351-L8363 [4] https://pagure.io/freeipa/blob/ipa-4-9/f/daemons/ipa-kdb/ipa_kdb_mspac_v6.c#_179 [5] https://github.com/krb5/krb5/commit/ee4e3c5c9eee061048d5b7393b8f3820d1a563a8 [6] https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-PAC/%5bMS-PAC%5d-201123-diff.pdf Page 26, section 2.8.3 [7] https://github.com/krb5/krb5/blob/krb5-1.20.1-final/src/include/krb5/krb5.hin#L1927-L1938 [8] https://github.com/krb5/krb5/blob/4c3063afb4a4b141b70d56aa381784f7efd637c9/src/include/kdb.h#L1277-L1360 [9] https://pagure.io/freeipa/blob/ipa-4-9/f/daemons/ipa-kdb/ipa_kdb.c#_725 [10] https://i.blackhat.com/EU-22/Thursday-Briefings/EU-22-Tervoort-Breaking-Kerberos-RC4-Cipher-and-Spoofing-Windows-PACs-wp.pdf Page 6, 1st paragraph
Upstream pull request: https://github.com/freeipa/freeipa/pull/6785
Fixed upstream master: https://pagure.io/freeipa/c/9cd5f49c74f28dbe070b072b394747a039cef463 https://pagure.io/freeipa/c/3f1b373cb2028416e40a26e3dd99b0f4c82525c7 https://pagure.io/freeipa/c/545a363dd2f7f551fa3ec3fed66c80b30ae3c1e1 Fixed upstream ipa-4-10: https://pagure.io/freeipa/c/630cda5c06428825dd5604493621b9cbdab70073 https://pagure.io/freeipa/c/bbe545ff9feb972e549c743025e4a26b14ef8f89 https://pagure.io/freeipa/c/7ea3b86696f5451f1d227d365018ab7dc53024af
Not supporting the new PAC extended KDC signature would only affect cross-realm resource-based constrained delegation requests between FreeIPA and Active Directory. But this type of requests is not supported by FreeIPA at this point anyway. Hence, backporting this feature to Fedora 37 will not have any benefit.