CVE-2022-2031 s4:kdc: Limit kpasswd ticket lifetime to two minutes or less

author Joseph Sutton <josephsutton@catalyst.net.nz>

Tue, 24 May 2022 05:53:49 +0000 (17:53 +1200)

committer Jule Anger <janger@samba.org>

Wed, 27 Jul 2022 10:52:36 +0000 (10:52 +0000)
author Joseph Sutton <josephsutton@catalyst.net.nz>
Tue, 24 May 2022 05:53:49 +0000 (17:53 +1200)
committer Jule Anger <janger@samba.org>
Wed, 27 Jul 2022 10:52:36 +0000 (10:52 +0000)
diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc

index 2e523ec648388eeb7048fcfd339ee2b9b9c69a82..ec0dd106f0f16a21cb3fbb43e7c6f280e5533768 100644 (file)
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -58,7 +58,6 @@
  # Kpasswd tests
  #
  ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc
-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc
  ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc
  ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key.ad_dc
  ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc

index 4059f2210f41d3dfa7d94f83bb34ba5ec2faca4b..e1315ed71ac32fdccad74e8ee02de34a0f895cfd 100644 (file)
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -438,7 +438,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
  #
  ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc
  ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize_realm_case.ad_dc
-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc
  ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc
  ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc
  ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_service.ad_dc
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c

index 1797b5dcade4cda1b98005f5b9e3aaf0ee398d99..68eab93c6808b44d939a3f1d0c04574946770d96 100644 (file)
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1337,6 +1337,11 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
                                                 kdc_db_ctx->policy.usr_tkt_lifetime);
         }
  
+       if (entry->flags.change_pw) {
+               /* Limit lifetime of kpasswd tickets to two minutes or less. */
+               *entry->max_life = MIN(*entry->max_life, CHANGEPW_LIFETIME);
+       }
+
         entry->max_renew = malloc(sizeof(*entry->max_renew));
         if (entry->max_renew == NULL) {
                 ret = ENOMEM;
diff --git a/source4/kdc/mit-kdb/kdb_samba_principals.c b/source4/kdc/mit-kdb/kdb_samba_principals.c

index 31983a7da6c92f0224c9fe31bf50d05ffa6962c5..27260186f0a5e46a8efcdf29442c3c22ed6cc8be 100644 (file)
--- a/source4/kdc/mit-kdb/kdb_samba_principals.c
+++ b/source4/kdc/mit-kdb/kdb_samba_principals.c
@@ -35,7 +35,6 @@
  #define DBGC_CLASS DBGC_KERBEROS
  
  #define ADMIN_LIFETIME 60*60*3 /* 3 hours */
-#define CHANGEPW_LIFETIME 60*5 /* 5 minutes */
  
  krb5_error_code ks_get_principal(krb5_context context,
                                  krb5_const_principal principal,
diff --git a/source4/kdc/samba_kdc.h b/source4/kdc/samba_kdc.h

index 2caefd58ae91d3bbad4b6c230e675a500aa7ea0c..5d73c5bbb9dfd13563ea8f8d66c4df699fb06336 100644 (file)
--- a/source4/kdc/samba_kdc.h
+++ b/source4/kdc/samba_kdc.h
@@ -68,4 +68,6 @@ struct samba_kdc_entry {
  
  extern struct hdb_method hdb_samba4_interface;
  
+#define CHANGEPW_LIFETIME 60*2 /* 2 minutes */
+
  #endif /* _SAMBA_KDC_H_ */
author	Joseph Sutton <josephsutton@catalyst.net.nz>
	Tue, 24 May 2022 05:53:49 +0000 (17:53 +1200)
committer	Jule Anger <janger@samba.org>
	Wed, 27 Jul 2022 10:52:36 +0000 (10:52 +0000)
selftest/knownfail_heimdal_kdc		patch \| blob \| blame \| history
selftest/knownfail_mit_kdc		patch \| blob \| blame \| history
source4/kdc/db-glue.c		patch \| blob \| blame \| history
source4/kdc/mit-kdb/kdb_samba_principals.c		patch \| blob \| blame \| history
source4/kdc/samba_kdc.h		patch \| blob \| blame \| history