CVE-2022-2031 s4:kdc: Limit kpasswd ticket lifetime to two minutes or less

This matches the behaviour of Windows.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
[jsutton@samba.org Adapted entry to entry_ex->entry; included
 samba_kdc.h header file]

[jsutton@samba.org Fixed conflicts]

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 49ab29f115daf66b75e1cf8af8a38a6553be50a5..387ccea3ba75ac01945b7c2dccaa453ef453cbea 100644 (file)
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -275,7 +275,6 @@
 # Kpasswd tests
 #
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc
-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc

diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index 46b0f1fa9edb3bdc0998ba8ab5929379123c199a..c2a31b4a140ce28feee4f93d885a97f2cbad2b25 100644 (file)
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -580,7 +580,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 #
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize_realm_case.ad_dc
-^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_service.ad_dc

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index d2d7136608eeca8886f9cb36815ab940bdfb8533..073ec83c8cf488d891541859174be22b02b4f82c 100644 (file)
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1226,6 +1226,11 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
                                                kdc_db_ctx->policy.usr_tkt_lifetime);
        }
 
+       if (entry_ex->entry.flags.change_pw) {
+               /* Limit lifetime of kpasswd tickets to two minutes or less. */
+               *entry_ex->entry.max_life = MIN(*entry_ex->entry.max_life, CHANGEPW_LIFETIME);
+       }
+
        entry_ex->entry.max_renew = malloc(sizeof(*entry_ex->entry.max_life));
        if (entry_ex->entry.max_renew == NULL) {
                ret = ENOMEM;

diff --git a/source4/kdc/mit-kdb/kdb_samba_principals.c b/source4/kdc/mit-kdb/kdb_samba_principals.c
index cc67c2392be16c38ca41b1d4b4eca1c8a60b78df..2059ffa855e8fbb0bccb2dbb9d2de7b786681619 100644 (file)
--- a/source4/kdc/mit-kdb/kdb_samba_principals.c
+++ b/source4/kdc/mit-kdb/kdb_samba_principals.c
@@ -27,11 +27,11 @@
 #include <profile.h>
 #include <kdb.h>
 
+#include "kdc/samba_kdc.h"
 #include "kdc/mit_samba.h"
 #include "kdb_samba.h"
 
 #define ADMIN_LIFETIME 60*60*3 /* 3 hours */
-#define CHANGEPW_LIFETIME 60*5 /* 5 minutes */
 
 krb5_error_code ks_get_principal(krb5_context context,
                                 krb5_const_principal principal,

diff --git a/source4/kdc/samba_kdc.h b/source4/kdc/samba_kdc.h
index e228a82ce6ac323b605d9c590e8301900b34614d..8010d7c35ed05b14da2cafa70be3b61b76b755a1 100644 (file)
--- a/source4/kdc/samba_kdc.h
+++ b/source4/kdc/samba_kdc.h
@@ -62,4 +62,6 @@ struct samba_kdc_entry {
 
 extern struct hdb_method hdb_samba4_interface;
 
+#define CHANGEPW_LIFETIME 60*2 /* 2 minutes */
+
 #endif /* _SAMBA_KDC_H_ */