From 66dae9eed87ecdc81e4ab2e4c7cf32a8246b5c795f251c294e6336b29cdc357a Mon Sep 17 00:00:00 2001 From: Samuel Cabrero Date: Tue, 18 Nov 2025 10:40:37 +0100 Subject: [PATCH] CVE-2025-11561: Disable kerberos localauth an2ln plugin for AD Signed-off-by: Samuel Cabrero --- ...beros-localauth-an2ln-plugin-for-AD-.patch | 49 +++++++++++++++++++ sssd.changes | 6 +++ sssd.spec | 1 + 3 files changed, 56 insertions(+) create mode 100644 0002-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch diff --git a/0002-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch b/0002-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch new file mode 100644 index 0000000..068e80a --- /dev/null +++ b/0002-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch @@ -0,0 +1,49 @@ +From 9c194d8de3a4e579a91d7360a498522f919880e9 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 10 Oct 2025 12:57:40 +0200 +Subject: [PATCH] krb5: disable Kerberos localauth an2ln plugin for AD/IPA +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If a client is joined to AD or IPA SSSD's localauth plugin can handle +the mapping of Kerberos principals to local accounts. In case it cannot +map the Kerberos principals libkrb5 is currently configured to fall back +to the default localauth plugins 'default', 'rule', 'names', +'auth_to_local', 'k5login' and 'an2ln' (see man krb5.conf for details). +All plugins except 'an2ln' require some explicit configuration by either +the administrator or the local user. To avoid some unexpected mapping is +done by the 'an2ln' plugin this patch disables it in the configuration +snippets for SSSD's localauth plugin. + +Resolves: https://github.com/SSSD/sssd/issues/8021 + +:relnote: After startup SSSD already creates a Kerberos configuration + snippet typically in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin + if the AD or IPA providers are used. This enables SSSD's localauth plugin. + Starting with this release the an2ln plugin is disabled in the + configuration snippet as well. If this file or its content are included in + the Kerberos configuration it will fix CVE-2025-11561. + +Reviewed-by: Alexey Tikhonov +Reviewed-by: Pavel Březina +(cherry picked from commit 9939c39d1949fad48af2f0b43c788bad0809e310) +(cherry picked from commit a08e5862693ed1191ba464351ae43c779b509096) +--- + src/util/domain_info_utils.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c +index 677b76ff3..00f22b19d 100644 +--- a/src/util/domain_info_utils.c ++++ b/src/util/domain_info_utils.c +@@ -747,6 +747,7 @@ done: + #define LOCALAUTH_PLUGIN_CONFIG \ + "[plugins]\n" \ + " localauth = {\n" \ ++" disable = an2ln\n" \ + " module = sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \ + " }\n" + +-- +2.51.1 diff --git a/sssd.changes b/sssd.changes index 96fc604..0f40bab 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Nov 18 09:38:39 UTC 2025 - Samuel Cabrero + +- Disable Kerberos localauth an2ln plugin for AD; (CVE-2025-11561); + (bsc#1251827); + ------------------------------------------------------------------- Thu Jul 31 16:15:46 UTC 2025 - Jan Engelhardt diff --git a/sssd.spec b/sssd.spec index b67db3a..f2e51f5 100644 --- a/sssd.spec +++ b/sssd.spec @@ -30,6 +30,7 @@ Source3: baselibs.conf Source5: %name.keyring Source6: %name-rpmlintrc Patch1: 0001-TOOL-Fix-build-parameter-name-omitted.patch +Patch2: 0002-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch Patch11: krb-noversion.diff Patch12: harden_sssd-ifp.service.patch Patch13: harden_sssd-kcm.service.patch -- 2.51.1