allow_kdc_spoof: Refuse to operate without a key to verify tickets.

[keentux]

Hello, FreeBSD/NetBSD has patched their pam_krb5 module to fix spoofing vulnerability. They didn't use krb5_verify_init_creds() method where by default allow the spoofing with the configuration "verify_ap_req_nofail" to false. This default option cannot be changed, as discussed on 2011 (see reference 4), because it could break deployments not using host keys.

So, may it be possible to change the way credentials are verify using an argument as it was done for freeBSD with "allow_kdc_spoof", where by default the spoofing vulnerability is fixed, in this pam-krb5 project ?

References:

1. NetBSD commit
2. FreeBSD commit
3. CVS commit
4. mail discussions

[cschuber]

As FreeBSD port maintainer, I had received an email from someone this morning regarding this

[rra]

I think this would be a good idea and I do want to implement it, but I'm not sure when I'm going to have the time. This summer has been full of unfortunate distractions. In the meantime, if you haven't already, please point people at the existing extensive discussion of KDC spoofing in the man page.

https://github.com/rra/pam-krb5/blob/main/docs/pam_krb5.pod#L53

The best fix, even better than changing these options since it protects the system even when there is no readable keytab, is to use FAST, which inherently includes anti-spoofing protection, although the simplest way to use FAST requires that the KDC support anonymous PKINIT.