rpms/sssd
6
0
Fork 0
Code Issues Pull Requests Releases Activity
c914efba43
sssd/SOURCES/0021-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch
eabdullin c914efba43 Import from CS git
2025-11-05 07:48:28 +00:00

50 lines
2.0 KiB
Diff
Raw Blame History

From b25abc587657366a864b119c6ae899d440812c1f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 10 Oct 2025 12:57:40 +0200
Subject: [PATCH] krb5: disable Kerberos localauth an2ln plugin for AD/IPA
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If a client is joined to AD or IPA SSSD's localauth plugin can handle
the mapping of Kerberos principals to local accounts. In case it cannot
map the Kerberos principals libkrb5 is currently configured to fall back
to the default localauth plugins 'default', 'rule', 'names',
'auth_to_local', 'k5login' and 'an2ln' (see man krb5.conf for details).
All plugins except 'an2ln' require some explicit configuration by either
the administrator or the local user. To avoid some unexpected mapping is
done by the 'an2ln' plugin this patch disables it in the configuration
snippets for SSSD's localauth plugin.
Resolves: https://github.com/SSSD/sssd/issues/8021
:relnote: After startup SSSD already creates a Kerberos configuration
snippet typically in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
if the AD or IPA providers are used. This enables SSSD's localauth plugin.
Starting with this release the an2ln plugin is disabled in the
configuration snippet as well. If this file or its content are included in
the Kerberos configuration it will fix CVE-2025-11561.
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 9939c39d1949fad48af2f0b43c788bad0809e310)
---
src/util/domain_info_utils.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
index a6fae06af..81eec9eac 100644
--- a/src/util/domain_info_utils.c
+++ b/src/util/domain_info_utils.c
@@ -751,6 +751,7 @@ done:
#define LOCALAUTH_PLUGIN_CONFIG \
"[plugins]\n" \
" localauth = {\n" \
+" disable = an2ln\n" \
" module = sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \
" }\n"
--
2.51.0
Reference in New Issue View Git Blame Copy Permalink