[Midnightbsd-cvs] [MidnightBSD/src] fe4d77: pam_krb5 authenticates the user by essentially run...
Lucas Holt
noreply at github.com
Wed Jun 21 09:16:01 EDT 2023
Branch: refs/heads/master
Home: https://github.com/MidnightBSD/src
Commit: fe4d77711f04cfcd873270200831162f7b0e23f7
https://github.com/MidnightBSD/src/commit/fe4d77711f04cfcd873270200831162f7b0e23f7
Author: Lucas Holt <luke at foolishgames.com>
Date: 2023-06-21 (Wed, 21 Jun 2023)
Changed paths:
M lib/libpam/modules/pam_krb5/pam_krb5.8
M lib/libpam/modules/pam_krb5/pam_krb5.c
Log Message:
-----------
pam_krb5 authenticates the user by essentially running kinit(1) with the
password, getting a `ticket-granting ticket' (tgt) from the Kerberos KDC (Key
Distribution Center) over the network, as a way to verify the password.
Normally, the system running the pam_krb5 module will also have a keytab, a
key provisioned by the KDC. The pam_krb5 module will use the tgt to get a
service ticket and validate it against the keytab, ensuring the tgt is valid
and therefore, the password is valid.
However, if a keytab is not provisioned on the system, pam_krb5 has no way to
validate the response from the KDC, and essentially trusts the tgt provided
over the network as being valid.
Obtained from: FreeBSD
Commit: d7ee965e4b8ed18743d7bfc9ad48c7b0bc5850fc
https://github.com/MidnightBSD/src/commit/d7ee965e4b8ed18743d7bfc9ad48c7b0bc5850fc
Author: Lucas Holt <luke at foolishgames.com>
Date: 2023-06-21 (Wed, 21 Jun 2023)
Changed paths:
M crypto/openssh/authfd.c
Log Message:
-----------
When using ssh-add(1) to add smartcard keys to ssh-agent(1) with per-hop
destination constraints, a logic error prevented the constraints from being
sent to the agent resulting in keys being added to the agent without
constraints.
Obtained from: FreeBSD
Compare: https://github.com/MidnightBSD/src/compare/f7fb69e38921...d7ee965e4b8e
More information about the Midnightbsd-cvs
mailing list