From nobody Sun Oct 06 04:33:43 2024
X-Original-To: bugs@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XLqD85JC3z5YFlR
	for <bugs@mlmmj.nyi.freebsd.org>; Sun, 06 Oct 2024 04:33:44 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4XLqD845DNz4KKM
	for <bugs@FreeBSD.org>; Sun,  6 Oct 2024 04:33:44 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1728189224;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=PlLAAvN0wOQvSTZk5riukj2OcrkrJnTlH8cVZxr4ZQU=;
	b=fIKd4EsYyKN+/DUDRtl7JKHByBTpzOxzCIaqBswUrbnm/E5VTmcWw/RAZVYzhn7rgcZGQy
	0TGEwnK62lyCrep5ZG3pQmAlVg3CDWcddTMqSk2Pt531n9Vx9zkLWaLcv5fWdFNJQDThZo
	WbKq1Hw80zLxjP7A4TNwTmGgNhrBzylkT5eEgZZwNJmSWQXN1XZ0HKTQWI4tGAIEPC1M3Z
	k/etb90DiR4uV8y/ugCAv/MnRoMI/f6IGSGKVgLetYZOLN9W9KCDIRk+W3abtSfvACE1ba
	q6PcJxngqswNkIINGR63oMPLGgGfbsJoc3em+KijbSAIJaRJ8zXFpnzWh+x4jw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1728189224; a=rsa-sha256; cv=none;
	b=nW8Pzp8CiFp8zxTF/teK+VDMB7FEU4jXNdX8tJZfqaWP3i24Ki0K5MY/DcMbMWoKRp4VDj
	qtncV27j1mWo+mlC2kTfLlSTmgXHQ6ITXdgvXk1p1nD2Iv3T9Fi2of0RHZY1QIvqnJ9A7s
	Q17O+XkIEO0RFMpCyyRjLLoHvzbq46RTGwZTwDJzew6TCVKoK3VwOOy6uZZuep5K0fRIj5
	5sVseEdYVFortX5EUQxZPlK26dQ+c33JjJ4wqI92yf2yckf0TYubzUhPKA6Jl88NHvKXNT
	cbQRNsXqWmTWsALrOa8Atpu4dFIYAtOYhNdydBDffmvdRjRR4Wimj+BiGAZQ5w==
Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4XLqD83hydznZc
	for <bugs@FreeBSD.org>; Sun,  6 Oct 2024 04:33:44 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
	by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 4964Xiv2052026
	for <bugs@FreeBSD.org>; Sun, 6 Oct 2024 04:33:44 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
	by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 4964Xihn052025
	for bugs@FreeBSD.org; Sun, 6 Oct 2024 04:33:44 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: bugs@FreeBSD.org
Subject: [Bug 280407] Authentication fails when using pam_krb5.so
Date: Sun, 06 Oct 2024 04:33:43 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: bin
X-Bugzilla-Version: 13.3-RELEASE
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Only Me
X-Bugzilla-Who: cy@FreeBSD.org
X-Bugzilla-Status: Closed
X-Bugzilla-Resolution: Not A Bug
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: resolution bug_status
Message-ID: <bug-280407-227-nXJnBoRWAU@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-280407-227@https.bugs.freebsd.org/bugzilla/>
References: <bug-280407-227@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-bugs
List-Help: <mailto:freebsd-bugs+help@freebsd.org>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Subscribe: <mailto:freebsd-bugs+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-bugs+unsubscribe@freebsd.org>
Sender: owner-freebsd-bugs@FreeBSD.org
MIME-Version: 1.0

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D280407

Cy Schubert <cy@FreeBSD.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |Not A Bug
             Status|Open                        |Closed

--- Comment #8 from Cy Schubert <cy@FreeBSD.org> ---
(In reply to Anderson Soares Ferreira from comment #6)

This is normal now. pam_krb5 was vulnerable to CVE-2023-3326. To avoid a ro=
gue
client spoofing a legitimate client one create a principal for the client a=
nd
place its keytab on the client. The server knows the client is legitimate W=
hen
the client presents its key from the keytab to the KDC. The kdc compares the
key presented by the client from its keytab with the principal in the KDC
database.

Works as designed.

--=20
You are receiving this mail because:
You are the assignee for the bug.=