diff --git a/SOURCES/0020-p11_child-Add-timeout-parameter.patch b/SOURCES/0020-p11_child-Add-timeout-parameter.patch new file mode 100644 index 0000000..3c69dce --- /dev/null +++ b/SOURCES/0020-p11_child-Add-timeout-parameter.patch @@ -0,0 +1,262 @@ +From 629cb8dfc8077f13464a47bf9af5bdc9c2e9b950 Mon Sep 17 00:00:00 2001 +From: Tomas Halman +Date: Thu, 20 Mar 2025 18:11:40 +0100 +Subject: [PATCH] p11_child: Add timeout parameter + +p11_child communication with OCSP server may take a long time +because of network issues. Then p11_child is killed after +`p11_child_timeout` and the authentication fails. + +This is not desirable when `certificate_verification` is +set to `soft_ocsp`. This update will pass the timeout to the +child process so it can cancel the OCSP verification +before it is terminated. + +Resolves: https://github.com/SSSD/sssd/issues/6601 + +Reviewed-by: Alexey Tikhonov +Reviewed-by: Scott Poore +Reviewed-by: Sumit Bose +(cherry picked from commit 2cf2e83a223f0eb74bd81a7fcaf726c62d577719) + +Reviewed-by: Alexey Tikhonov +--- + src/p11_child/p11_child.h | 4 +++- + src/p11_child/p11_child_common.c | 19 +++++++++++++--- + src/p11_child/p11_child_openssl.c | 29 ++++++++++++++++++++++--- + src/responder/ifp/ifp_users.c | 12 +++++++++- + src/responder/pam/pamsrv_p11.c | 12 +++++++++- + src/responder/ssh/ssh_cert_to_ssh_key.c | 10 ++++++++- + 6 files changed, 76 insertions(+), 10 deletions(-) + +diff --git a/src/p11_child/p11_child.h b/src/p11_child/p11_child.h +index e3547ce23..2bc83990c 100644 +--- a/src/p11_child/p11_child.h ++++ b/src/p11_child/p11_child.h +@@ -27,6 +27,7 @@ + + /* for CK_MECHANISM_TYPE */ + #include ++#include + + /* Time to wait for new slot events. */ + #define PKCS11_SLOT_EVENT_WAIT_TIME 1 +@@ -59,7 +60,8 @@ enum pin_mode { + }; + + errno_t init_p11_ctx(TALLOC_CTX *mem_ctx, const char *ca_db, +- bool wait_for_card, struct p11_ctx **p11_ctx); ++ bool wait_for_card, time_t timeout, ++ struct p11_ctx **p11_ctx); + + errno_t init_verification(struct p11_ctx *p11_ctx, + struct cert_verify_opts *cert_verify_opts); +diff --git a/src/p11_child/p11_child_common.c b/src/p11_child/p11_child_common.c +index 5eab9b063..9d690669c 100644 +--- a/src/p11_child/p11_child_common.c ++++ b/src/p11_child/p11_child_common.c +@@ -63,12 +63,12 @@ static int do_work(TALLOC_CTX *mem_ctx, enum op_mode mode, const char *ca_db, + const char *cert_b64, const char *pin, + const char *module_name, const char *token_name, + const char *key_id, const char *label, const char *uri, +- char **multi) ++ time_t timeout, char **multi) + { + int ret; + struct p11_ctx *p11_ctx; + +- ret = init_p11_ctx(mem_ctx, ca_db, wait_for_card, &p11_ctx); ++ ret = init_p11_ctx(mem_ctx, ca_db, wait_for_card, timeout, &p11_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "init_p11_ctx failed.\n"); + return ret; +@@ -165,6 +165,7 @@ int main(int argc, const char *argv[]) + char *label = NULL; + char *cert_b64 = NULL; + long chain_id = 0; ++ long timeout = -1; + bool wait_for_card = false; + char *uri = NULL; + +@@ -202,6 +203,8 @@ int main(int argc, const char *argv[]) + _("PKCS#11 URI to restrict selection"), NULL}, + {"chain-id", 0, POPT_ARG_LONG, &chain_id, + 0, _("Tevent chain ID used for logging purposes"), NULL}, ++ {"timeout", 0, POPT_ARG_LONG, &timeout, ++ 0, _("OCSP communication timeout"), NULL}, + POPT_TABLEEND + }; + +@@ -382,9 +385,19 @@ int main(int argc, const char *argv[]) + } + } + ++ /* sanity check for timeout value */ ++ if (timeout > INT32_MAX) { ++ fprintf(stderr, ++ "Timeout value [%li] is too long, using [%d]\n", ++ timeout, INT32_MAX); ++ timeout = INT32_MAX; ++ } else if (timeout < -1) { ++ timeout = -1; ++ } ++ + ret = do_work(main_ctx, mode, ca_db, cert_verify_opts, wait_for_card, + cert_b64, pin, module_name, token_name, key_id, label, uri, +- &multi); ++ timeout, &multi); + + done: + fprintf(stdout, "%d\n%s", ret, multi ? multi : ""); +diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c +index 45a4930ba..468d8cf5c 100644 +--- a/src/p11_child/p11_child_openssl.c ++++ b/src/p11_child/p11_child_openssl.c +@@ -44,6 +44,7 @@ struct p11_ctx { + const char *ca_db; + bool wait_for_card; + struct cert_verify_opts *cert_verify_opts; ++ time_t ocsp_deadline; + }; + + static OCSP_RESPONSE *query_responder(BIO *cbio, const char *host, +@@ -390,8 +391,19 @@ static errno_t do_ocsp(struct p11_ctx *p11_ctx, X509 *cert) + + OCSP_request_add1_nonce(ocsp_req, NULL, -1); + +- ocsp_resp = process_responder(ocsp_req, host, path, port, use_ssl, +- req_timeout); ++ if (p11_ctx->ocsp_deadline != -1 && p11_ctx->cert_verify_opts->soft_ocsp) { ++ req_timeout = p11_ctx->ocsp_deadline - time(NULL); ++ if (req_timeout <= 0) { ++ /* no time left for OCSP */ ++ DEBUG(SSSDBG_TRACE_INTERNAL, ++ "Timeout before we could run OCSP request.\n"); ++ req_timeout = 0; ++ } ++ } ++ if (req_timeout != 0) { ++ ocsp_resp = process_responder(ocsp_req, host, path, port, use_ssl, ++ req_timeout); ++ } + if (ocsp_resp == NULL) { + if (p11_ctx->cert_verify_opts->soft_ocsp) { + tmp_str = get_issuer_subject_str(p11_ctx, cert); +@@ -580,7 +592,8 @@ static int p11_ctx_destructor(struct p11_ctx *p11_ctx) + } + + errno_t init_p11_ctx(TALLOC_CTX *mem_ctx, const char *ca_db, +- bool wait_for_card, struct p11_ctx **p11_ctx) ++ bool wait_for_card, time_t timeout, ++ struct p11_ctx **p11_ctx) + { + int ret; + struct p11_ctx *ctx; +@@ -591,6 +604,16 @@ errno_t init_p11_ctx(TALLOC_CTX *mem_ctx, const char *ca_db, + return ENOMEM; + } + ++ if (timeout == 1) { ++ /* timeout of 1 sec is too short (see -1 in deadline calculation), ++ * increasing to 2 and hope that the ocsp operation finishes ++ * before p11_child is terminated. ++ */ ++ timeout = 2; ++ } ++ /* timeout <= 0 means no timeout specified */ ++ ctx->ocsp_deadline = timeout > 0 ? time(NULL) + timeout - 1 : -1; ++ + /* See https://wiki.openssl.org/index.php/Library_Initialization for + * details. */ + #if OPENSSL_VERSION_NUMBER >= 0x10100000L +diff --git a/src/responder/ifp/ifp_users.c b/src/responder/ifp/ifp_users.c +index 7acd46ef1..6c147d74d 100644 +--- a/src/responder/ifp/ifp_users.c ++++ b/src/responder/ifp/ifp_users.c +@@ -1128,7 +1128,7 @@ ifp_users_find_by_valid_cert_send(TALLOC_CTX *mem_ctx, + goto done; + } + +- state->extra_args = talloc_zero_array(state, const char *, 8); ++ state->extra_args = talloc_zero_array(state, const char *, 10); + if (state->extra_args == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_array failed.\n"); + ret = ENOMEM; +@@ -1143,6 +1143,16 @@ ifp_users_find_by_valid_cert_send(TALLOC_CTX *mem_ctx, + state->extra_args[arg_c++] = "--verify"; + } + state->extra_args[arg_c++] = "--verification"; ++ if (state->timeout > 0) { ++ state->extra_args[arg_c++] = talloc_asprintf(state, "%d", ++ state->timeout); ++ if (state->extra_args[arg_c - 1] == NULL) { ++ DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); ++ ret = ENOMEM; ++ goto done; ++ } ++ state->extra_args[arg_c++] = "--timeout"; ++ } + + ret = p11_child_exec(req); + +diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c +index 2f973d89f..1490ca28d 100644 +--- a/src/responder/pam/pamsrv_p11.c ++++ b/src/responder/pam/pamsrv_p11.c +@@ -746,7 +746,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx, + struct timeval tv; + int pipefd_to_child[2] = PIPE_INIT; + int pipefd_from_child[2] = PIPE_INIT; +- const char *extra_args[20] = { NULL }; ++ const char *extra_args[22] = { NULL }; + uint8_t *write_buf = NULL; + size_t write_buf_len = 0; + size_t arg_c; +@@ -778,6 +778,16 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx, + /* extra_args are added in revers order */ + arg_c = 0; + ++ if (timeout > 0) { ++ extra_args[arg_c++] = talloc_asprintf(mem_ctx, "%lu", timeout); ++ if (extra_args[arg_c - 1] == NULL) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); ++ ret = ENOMEM; ++ goto done; ++ } ++ extra_args[arg_c++] = "--timeout"; ++ } ++ + chain_id = sss_chain_id_get(); + + extra_args[arg_c++] = talloc_asprintf(mem_ctx, "%lu", chain_id); +diff --git a/src/responder/ssh/ssh_cert_to_ssh_key.c b/src/responder/ssh/ssh_cert_to_ssh_key.c +index b8bc8b7ab..53c33c279 100644 +--- a/src/responder/ssh/ssh_cert_to_ssh_key.c ++++ b/src/responder/ssh/ssh_cert_to_ssh_key.c +@@ -91,7 +91,7 @@ struct tevent_req *cert_to_ssh_key_send(TALLOC_CTX *mem_ctx, + } + state->valid_keys = 0; + +- state->extra_args = talloc_zero_array(state, const char *, 8); ++ state->extra_args = talloc_zero_array(state, const char *, 10); + if (state->extra_args == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_array failed.\n"); + ret = ENOMEM; +@@ -108,6 +108,14 @@ struct tevent_req *cert_to_ssh_key_send(TALLOC_CTX *mem_ctx, + state->extra_args[arg_c++] = "--verify"; + } + state->extra_args[arg_c++] = "--verification"; ++ if (timeout > 0) { ++ state->extra_args[arg_c++] = talloc_asprintf(state, "%lu", timeout); ++ if (state->extra_args[arg_c - 1] == NULL) { ++ ret = ENOMEM; ++ goto done; ++ } ++ state->extra_args[arg_c++] = "--timeout"; ++ } + + state->certs = talloc_zero_array(state, const char *, cert_count); + if (state->certs == NULL) { +-- +2.51.0 + diff --git a/SOURCES/0021-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch b/SOURCES/0021-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch new file mode 100644 index 0000000..e40ef6b --- /dev/null +++ b/SOURCES/0021-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch @@ -0,0 +1,49 @@ +From b25abc587657366a864b119c6ae899d440812c1f Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 10 Oct 2025 12:57:40 +0200 +Subject: [PATCH] krb5: disable Kerberos localauth an2ln plugin for AD/IPA +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If a client is joined to AD or IPA SSSD's localauth plugin can handle +the mapping of Kerberos principals to local accounts. In case it cannot +map the Kerberos principals libkrb5 is currently configured to fall back +to the default localauth plugins 'default', 'rule', 'names', +'auth_to_local', 'k5login' and 'an2ln' (see man krb5.conf for details). +All plugins except 'an2ln' require some explicit configuration by either +the administrator or the local user. To avoid some unexpected mapping is +done by the 'an2ln' plugin this patch disables it in the configuration +snippets for SSSD's localauth plugin. + +Resolves: https://github.com/SSSD/sssd/issues/8021 + +:relnote: After startup SSSD already creates a Kerberos configuration + snippet typically in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin + if the AD or IPA providers are used. This enables SSSD's localauth plugin. + Starting with this release the an2ln plugin is disabled in the + configuration snippet as well. If this file or its content are included in + the Kerberos configuration it will fix CVE-2025-11561. + +Reviewed-by: Alexey Tikhonov +Reviewed-by: Pavel Březina +(cherry picked from commit 9939c39d1949fad48af2f0b43c788bad0809e310) +--- + src/util/domain_info_utils.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c +index a6fae06af..81eec9eac 100644 +--- a/src/util/domain_info_utils.c ++++ b/src/util/domain_info_utils.c +@@ -751,6 +751,7 @@ done: + #define LOCALAUTH_PLUGIN_CONFIG \ + "[plugins]\n" \ + " localauth = {\n" \ ++" disable = an2ln\n" \ + " module = sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \ + " }\n" + +-- +2.51.0 + diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index 6510c28..2fe8698 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -19,7 +19,7 @@ Name: sssd Version: 2.9.4 -Release: 5%{?dist}.2.0.1 +Release: 5%{?dist}.3 Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -46,6 +46,8 @@ Patch0016: 0016-KCM-fix-memory-leak.patch Patch0017: 0017-KCM-another-memory-leak-fixed.patch Patch0018: 0018-SYSDB-don-t-add-group-members-if-ignore_group_member.patch Patch0019: 0019-SYSDB-Use-SYSDB_NAME-from-cached-entry-when-updating.patch +Patch0020: 0020-p11_child-Add-timeout-parameter.patch +Patch0021: 0021-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch ### Downstream Patches ### @@ -1230,6 +1232,10 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Fri Oct 17 2025 Alejandro López - 2.9.4-5.3 +- Resolves: RHEL-112455 - p11_child currently has an infinite timeout [rhel-8.10.z] +- Resolves: RHEL-120292 - CVE-2025-11561 sssd: SSSD default Kerberos configuration allows privilege escalation on AD-joined Linux systems [rhel-8.10.z] + * Fri Apr 25 2025 Alexey Tikhonov - 2.9.4-5.2 - Resolves: RHEL-78300 - 'sssd_kcm' leaks memory [rhel-8.10.z] - Resolves: RHEL-82420 - Disk cache failure with large db sizes [rhel-8.10.z]