krb5: disable Kerberos localauth an2ln plugin for AD/IPA #8136
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request correctly disables the an2ln Kerberos localauth plugin for AD/IPA providers to prevent unexpected principal-to-account mappings. The change in the C code is straightforward and effective. The accompanying Python tests validate the new behavior, but they could be improved for better portability and adherence to pytest best practices. I've added a couple of suggestions to make the tests more robust and readable.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
Could you please add an RN, including "Fixes CVE-2025-11561" (if I understand correctly and this indeed fully fixes this CVE)? |
sumit-bose
force-pushed
the
disable_an2ln
branch
4 times, most recently
from
542cdf0 to
963f583
Compare
alexey-tikhonov
added
branch: sssd-1-16
Bugzilla
backport-to-sssd-2-8
backport-to-sssd-2-9
backport-to-sssd-2-10
backport-to-sssd-2-9-4
|
Note: Covscan is green. |
|
@sumit-bose, could you please also add 'Resolves: #8021' to the commit message? |
If a client is joined to AD or IPA SSSD's localauth plugin can handle the mapping of Kerberos principals to local accounts. In case it cannot map the Kerberos principals libkrb5 is currently configured to fall back to the default localauth plugins 'default', 'rule', 'names', 'auth_to_local', 'k5login' and 'an2ln' (see man krb5.conf for details). All plugins except 'an2ln' require some explicit configuration by either the administrator or the local user. To avoid some unexpected mapping is done by the 'an2ln' plugin this patch disables it in the configuration snippets for SSSD's localauth plugin. Resolves: SSSD#8021 :relnote: After startup SSSD already creates a Kerberos configuration snippet typically in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin if the AD or IPA providers are used. This enables SSSD's localauth plugin. Starting with this release the an2ln plugin is disabled in the configuration snippet as well. If this file or its content are included in the Kerberos configuration it will fix CVE-2025-11561.
sumit-bose
force-pushed
the
disable_an2ln
branch
from
963f583 to
4736ec3
Compare
Added in the latest version. |
|
Thank you, ACK. |
|
We agreed @sumit-bose will split this PR into 2: a product patch + a test. |
|
Hi, thank you for including the test. Would it be possible to add a test that actually tests the CVE, not just the configuration? |
sumit-bose
force-pushed
the
disable_an2ln
branch
from
4736ec3 to
c126490
Compare
Hi, this PR now has only one commit with the product patch. The test is move to #8145. bye, |
Hi, I can see who hard/easy this would be. But if I find a way it will most probably be in a third PR. bye, |
|
Pushed PR: #8136
|
3 participants
If a client is joined to AD or IPA SSSD's localauth plugin can handle
the mapping of Kerberos principals to local accounts. In case it cannot
map the Kerberos principals libkrb5 is currently configured to fall back
to the default localauth plugins 'default', 'rule', 'names',
'auth_to_local', 'k5login' and 'an2ln' (see man krb5.conf for details).
All plugins except 'an2ln' require some explicit configuration by either
the administrator or the local user. To avoid some unexpected mapping is
done by the 'an2ln' plugin this patch disables it in the configuration
snippets for SSSD's localauth plugin.