K 10
svn:author
V 6
gordon
K 8
svn:date
V 27
2023-06-21T05:27:27.308794Z
K 7
svn:log
V 869
pam_krb5: Fix spoofing vulnerability

An adversary on the network can log in via ssh as any user by spoofing
the KDC. When the machine has a keytab installed the keytab is used to
verify the service ticket. However, without a keytab there is no way
for pam_krb5 to verify the KDC's response and get a TGT with the
password.

If both the password _and_ the KDC are controlled by an adversary, the
adversary can provide a password that the adversary's spoofed KDC will
return a valid tgt for.  Currently, without a keytab, pam_krb5 is
vulnerable to this attack.

Reported by:	Taylor R Campbell <riastradh@netbsd.org> via emaste@
Reviewed by:	so
Approved by:	so
Security:	FreeBSD-SA-23:04.pam_krb5
Security:	CVE-2023-3326

(cherry picked from commit 813847e49e35439ba5d7bf16034b0691312068a4)

Git Hash:   5018f551ece209a32b06e5225d34fe248d14e479
Git Author: cy@FreeBSD.org
END