Commit Graph

20 Commits

Author SHA1 Message Date
Rob Crittenden
21c6ccc982 Fix some resource leaks identified by a static analyzer
Fixes: https://pagure.io/freeipa/issue/9367

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2024-08-16 07:18:33 +02:00
Julien Rische
4a61184da6
kdb: apply combinatorial logic for ticket flags
The initial design for ticket flags was implementing this logic:
* If a ticket policy is defined for the principal entry, use flags from
  this policy if they are set. Otherwise, use default ticket flags.
* If no ticket policy is defined for the principal entry, but there is a
  global one, use flags from the global ticket policy if they are set.
  Otherwise, use default ticket flags.
* If no policy (principal nor global) is defined, use default ticket
  flags.

However, this logic was broken by a1165ffb which introduced creation of
a principal-level ticket policy in case the ticket flag set is modified.
This was typically the case for the -allow_tix flag, which was set
virtually by the KDB driver when a user was locked until they initialize
their password on first kinit pre-authentication.

This was causing multiple issues, which are mitigated by the new
approach:

Now flags from each level are combined together. There flags like
+requires_preauth which are set systematically by the KDB diver, as
well as -allow_tix which is set based on the value of "nsAccountLock".
This commit also adds the implicit -allow_svr ticket flag for user
principals to protect users against Kerberoast-type attacks. None of
these flags are stored in the LDAP database, they are hard-coded in the
KDB driver.

In addition to these "virtual" ticket flags, flags from both global and
principal ticket policies are applied (if these policies exist).

Principal ticket policies are not supported for hosts and services, but
this is only an HTTP API limitation. The "krbTicketPolicyAux" object
class is supported for all account types. This is required for ticket
flags like +ok_to_auth_as_delegate. Such flags can be set using "ipa
host-mod" and "ipa serivce-mod", or using kadmin's "modprinc".

It is possible to ignore flags from the global ticket policy or default
flags like -allow_svr for a user principal by setting the
"final_user_tkt_flags" string attribute to "true" in kadmin. In this
case, any ticket flag can be configured in the principal ticket policy,
except requires_preauth and allow_tix.

When in IPA setup mode (using the "ipa-setup-override-restrictions" KDB
argument), all the system described above is disabled and ticket flags
are written in the principal ticket policy as they are provided. This is
required to initialize the Kerberos LDAP container during IPA server
installation.

This fixes CVE-2024-3183

Signed-off-by: Julien Rische <jrische@redhat.com>
2024-06-10 12:46:05 +02:00
Alexander Bokovoy
dbf5df4a66 CVE-2020-1722: prevent use of too long passwords
NIST SP 800-63-3B sets a recommendation to have password length upper bound limited in A.2:

https://pages.nist.gov/800-63-3/sp800-63b.html#appA

	Users should be encouraged to make their passwords as lengthy as they
	want, within reason. Since the size of a hashed password is independent
	of its length, there is no reason not to permit the use of lengthy
	passwords (or pass phrases) if the user wishes. Extremely long passwords
	(perhaps megabytes in length) could conceivably require excessive
	processing time to hash, so it is reasonable to have some limit.

FreeIPA already applied 256 characters limit for non-random passwords
set through ipa-getkeytab tool. The limit was not, however, enforced in
other places.

MIT Kerberos limits the length of the password to 1024 characters in its
tools. However, these tools (kpasswd and 'cpw' command of kadmin) do not
differentiate between a password larger than 1024 and a password of 1024
characters. As a result, longer passwords are silently cut off.

To prevent silent cut off for user passwords, use limit of 1000
characters.

Thus, this patch enforces common limit of 1000 characters everywhere:
 - LDAP-based password changes
   - LDAP password change control
   - LDAP ADD and MOD operations on clear-text userPassword
   - Keytab setting with ipa-getkeytab
 - Kerberos password setting and changing

Fixes: https://pagure.io/freeipa/issue/8268

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2020-04-14 12:36:01 +03:00
Simo Sorce
4abd2f76d7 Make sure to have storage space for tag
ber_scanf expects a pointer to a ber_tag_t to return the tag pointed at
by "t", if that is not provided the pointer will be store in whatever
memory location is pointed by the stack at that time causeing a crash.

Note that this is effectively unused code because in ipa-kdb the only
party that can write a key_data structure to be stored is te kdb_driver
itself and we never encode these s2kparam data.

But we need to handle this for future proofing.

Fixes #8071

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-11-26 11:33:48 +01:00
Simo Sorce
e2c2d5967d Add compatibility function for older libkrb5
Before krb5 1.13 the krb5_salttype_to_string() function was returning
incorrect names (display names of some kind instead of the names
used by the rest of the library to map saltname to the salt type
integer number).
This patch adds a function that checks at runtime if we have a working
function and uses a fallback map updated to the salt types known up
to 1.12, this allows us to use the library provided function in
following releases where new salt types may emerge.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Milan Kubik <mkubik@redhat.com>
2015-05-30 12:24:15 -04:00
Simo Sorce
d5b6c83601 Detect default encsalts kadmin password change
When kadmin tries to change a password it will get the allowed keysalts
from the password policy. Failure to provide them will result in kadmin
using the defaults specified in the kdc.conf file or hardcoded defaults
(the default salt is then of type NORMAL).

This patch provides the supported values that have been read out of the
appropriate LDAP attribute when we read the server configuration.

Then at actual password change, check if kadmin is handing us back the exact
list of supported encsalts we sent it, and in that case replace it with the
real default encsalts.

Fixes https://fedorahosted.org/freeipa/ticket/4914

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Martin Babinsky <mbabinsk@redhat.com>
2015-05-27 09:45:56 -04:00
Jan Cholasta
66a42e67f3 Fix unchecked return value in krb5 common utils
https://fedorahosted.org/freeipa/ticket/4713

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-11-25 08:23:24 +00:00
Simo Sorce
f352702d67 ipa-getkeytab: Add support for get_keytab extop
This new extended operation is tried by default and then the code falls
back to the old method if it fails. The new method allows for server
side password generation as well as retrieval of existing credentials
w/o causing regeneration of keys on the server.

Resolves:
https://fedorahosted.org/freeipa/ticket/3859

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-06-26 10:30:53 +02:00
Simo Sorce
88bcf5899c keytabs: Expose and modify key encoding function
Make it available outside of the encoding.c file for use in a follow-up
patch. Add option to not pass a password and generate a random key
instead.

Related:
https://fedorahosted.org/freeipa/ticket/3859

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-06-26 10:30:53 +02:00
Nathaniel McCallum
b769d1c186 Add support to ipa-kdb for keyless principals
https://fedorahosted.org/freeipa/ticket/3779

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-02-19 10:15:36 +01:00
Simo Sorce
505bc85ec3 Move code into common krb5 utils
This moves the decoding function that reads the keys from the ber format
into a structure in the common krb5 util code right below the function
that encodes the same data structure into a ber format.
This way the 2 functions are in the same place and can be both used by
all ia components.
2012-07-30 10:31:47 -04:00
Sumit Bose
ee936431c8 Move some krb5 keys related functions from ipa-client to util 2012-06-11 12:04:05 +02:00
Simo Sorce
a9e4316d5a Add missing copyright header 2011-11-17 16:15:24 -05:00
Simo Sorce
08137836a3 Amend #2038 fix
The math was unsafe, thanks to Nalin for spotting it.
2011-11-05 19:05:08 -04:00
Simo Sorce
f7938a1773 Modify random salt creation for interoperability
See:
https://fedorahosted.org/freeipa/ticket/2038
2011-11-04 11:10:56 +01:00
Simo Sorce
452fcdccdc ipa-kdb: implement change_pwd function 2011-08-26 08:24:49 -04:00
Simo Sorce
7d41e7b4d4 ipa-pwd-extop: make encsalt parsing function common
It is going to be used by the ipa-kdb module too.
2011-08-26 08:24:49 -04:00
Simo Sorce
eed401306c ipa-pwd-extop: Move encoding in common too
Also to be used by ipa-kdb
2011-08-26 08:24:49 -04:00
Simo Sorce
4928229093 ipa-pwd-extop: Move encryption of keys in common
This way we can reuse the same code from ipa-kdb later
2011-08-26 08:24:49 -04:00
Jakub Hrozek
3b7a86024b Use internal implementation of internal Kerberos functions
Don't use KRB5_PRIVATE.

The patch implements and uses the following krb5 functions that are
otherwise private in recent MIT Kerberos releases:
 * krb5_principal2salt_norealm
 * krb5_free_ktypes

Signed-off-by: Simo Sorce <ssorce@redhat.com>
2010-11-22 16:01:35 -05:00