If the local machine is missing a keytab file, though, isn’t that local #Kerberos for PAM implementation already fundamentally broken? Without a keytab entry, you could /never/ be sure the TGT was legit.
Are keytab files optional when configuring krb5 on FreeBSD? How about other OSes? IOW, does this CVE describe a fundamental, common implementation issue with OTHER pam-krb5 installs?
I haven’t looked at the patch yet (on a phone, not entirely sure I want to get out of bed yet on a Sunday). But the more documentation I read on fixing common pam-krb5 problems, the more suspicious I become that nobody does keytab checking correctly (except, now, #FreeBSD).
@todb@adminkirsty A very astute observation.
Time permitting, We'll play around on a linux env this week to try to compare results.
First suspicion - maybe FreeBSD implementation suffers from fail-safe instead of fail-secure if the keytab file is missing.
Which may be different in other implementations and be the difference between critical vulnerability and minor implementation nuisance.
That's fun. Reminds me of netcat's GAPING_SECURITY_HOLE
Skimming #RedHat Linux docs, it looks like pam_krb5 is deprecated anyway in favor of pam_sssd, and pam_sssd automatically creates a keytab file upon joining the domain -- looks non-optional.
Over in #Ubuntu land, it looks like keytab is similarly required, but you can turn it off manually (according to the man page).
So with those two examples, my bet is that most #Linux domain members are okay by default. Broken #Kerberos is still broken, but you have to go out of your way to break it (and if you have that breaking power, you can do easier things anyway like just straight up suing as someone else).
The above is based purely on documentation, no testing.
Add comment