From b25abc587657366a864b119c6ae899d440812c1f Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 10 Oct 2025 12:57:40 +0200 Subject: [PATCH] krb5: disable Kerberos localauth an2ln plugin for AD/IPA MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If a client is joined to AD or IPA SSSD's localauth plugin can handle the mapping of Kerberos principals to local accounts. In case it cannot map the Kerberos principals libkrb5 is currently configured to fall back to the default localauth plugins 'default', 'rule', 'names', 'auth_to_local', 'k5login' and 'an2ln' (see man krb5.conf for details). All plugins except 'an2ln' require some explicit configuration by either the administrator or the local user. To avoid some unexpected mapping is done by the 'an2ln' plugin this patch disables it in the configuration snippets for SSSD's localauth plugin. Resolves: https://github.com/SSSD/sssd/issues/8021 :relnote: After startup SSSD already creates a Kerberos configuration snippet typically in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin if the AD or IPA providers are used. This enables SSSD's localauth plugin. Starting with this release the an2ln plugin is disabled in the configuration snippet as well. If this file or its content are included in the Kerberos configuration it will fix CVE-2025-11561. Reviewed-by: Alexey Tikhonov Reviewed-by: Pavel Březina (cherry picked from commit 9939c39d1949fad48af2f0b43c788bad0809e310) --- src/util/domain_info_utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c index a6fae06af..81eec9eac 100644 --- a/src/util/domain_info_utils.c +++ b/src/util/domain_info_utils.c @@ -751,6 +751,7 @@ done: #define LOCALAUTH_PLUGIN_CONFIG \ "[plugins]\n" \ " localauth = {\n" \ +" disable = an2ln\n" \ " module = sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \ " }\n" -- 2.51.0