From: Joseph Sutton Date: Tue, 24 May 2022 05:53:49 +0000 (+1200) Subject: CVE-2022-2031 s4:kdc: Limit kpasswd ticket lifetime to two minutes or less X-Git-Tag: samba-4.17.0rc1~282 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3e773a3954ff95c4ec9daeedf2739a5edd81e8dc;p=thirdparty%2Fsamba.git CVE-2022-2031 s4:kdc: Limit kpasswd ticket lifetime to two minutes or less This matches the behaviour of Windows. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 Signed-off-by: Joseph Sutton Reviewed-by: Andreas Schneider --- diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index 2e523ec6483..ec0dd106f0f 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -58,7 +58,6 @@ # Kpasswd tests # ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc -^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key.ad_dc ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index 4059f2210f4..e1315ed71ac 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -438,7 +438,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ # ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize_realm_case.ad_dc -^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_service.ad_dc diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index 1797b5dcade..68eab93c680 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -1337,6 +1337,11 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, kdc_db_ctx->policy.usr_tkt_lifetime); } + if (entry->flags.change_pw) { + /* Limit lifetime of kpasswd tickets to two minutes or less. */ + *entry->max_life = MIN(*entry->max_life, CHANGEPW_LIFETIME); + } + entry->max_renew = malloc(sizeof(*entry->max_renew)); if (entry->max_renew == NULL) { ret = ENOMEM; diff --git a/source4/kdc/mit-kdb/kdb_samba_principals.c b/source4/kdc/mit-kdb/kdb_samba_principals.c index 31983a7da6c..27260186f0a 100644 --- a/source4/kdc/mit-kdb/kdb_samba_principals.c +++ b/source4/kdc/mit-kdb/kdb_samba_principals.c @@ -35,7 +35,6 @@ #define DBGC_CLASS DBGC_KERBEROS #define ADMIN_LIFETIME 60*60*3 /* 3 hours */ -#define CHANGEPW_LIFETIME 60*5 /* 5 minutes */ krb5_error_code ks_get_principal(krb5_context context, krb5_const_principal principal, diff --git a/source4/kdc/samba_kdc.h b/source4/kdc/samba_kdc.h index 2caefd58ae9..5d73c5bbb9d 100644 --- a/source4/kdc/samba_kdc.h +++ b/source4/kdc/samba_kdc.h @@ -68,4 +68,6 @@ struct samba_kdc_entry { extern struct hdb_method hdb_samba4_interface; +#define CHANGEPW_LIFETIME 60*2 /* 2 minutes */ + #endif /* _SAMBA_KDC_H_ */