debian/0000775000000000000000000000000013170211655007171 5ustar debian/examples0000664000000000000000000000001411320710721010716 0ustar bin/ftp-gss debian/pyversions0000664000000000000000000000000511320710721011321 0ustar 2.4- debian/compat0000664000000000000000000000000212263277720010376 0ustar 9 debian/pycompat0000664000000000000000000000000211320710721010731 0ustar 2 debian/source/0000775000000000000000000000000013170170530010465 5ustar debian/source/format0000664000000000000000000000001412263277720011706 0ustar 3.0 (quilt) debian/control0000664000000000000000000000233513170207027010575 0ustar Source: pykerberos Section: python Priority: optional Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Calendarserver Maintainers Uploaders: Dr. Torge Szczepanek , Guido Günther Build-Depends: debhelper (>= 9), libkrb5-dev, python-all-dev, python (>= 2.6.6-3~) Standards-Version: 3.9.5 Vcs-Git: git://git.debian.org/git/calendarserver/pykerberos.git Vcs-Browser: http://git.debian.org/?p=calendarserver/pykerberos.git Package: python-kerberos Architecture: any Depends: ${python:Depends}, ${shlibs:Depends}, ${misc:Depends} Replaces: python2.4-kerberos (<= 0.0.svn55-1) Conflicts: python2.4-kerberos (<= 0.0.svn55-1) Provides: ${python:Provides} Description: GSSAPI interface module for Python This Python package is a high-level wrapper for Kerberos (GSSAPI) operations. The goal is to avoid having to build a module that wraps the entire Kerberos.framework, and instead offer a limited set of functions that do what is needed for client/server Kerberos authentication based on . . Much of the C-code here is adapted from Apache's mod_auth_kerb-5.0rc7. debian/patches/0000775000000000000000000000000013170206715010621 5ustar debian/patches/Add-KDC-authenticity-verification-support-CVE-2015-3206.patch0000664000000000000000000001440713170206715023231 0ustar Description: Add KDC authenticity verification support (CVE-2015-3206) Origin: upstream, https://github.com/02strich/pykerberos/ Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pykerberos/+bug/1716429 Applied-Upstream: 1.1.6 Forwarded: not-needed Last-Update: 2017-10-05 * https://github.com/02strich/pykerberos/commit/02d13860b25fab58e739f0e000bed0067b7c6f9c * https://github.com/02strich/pykerberos/commit/5867201f1b9c682402aa9b495a654b8f346c8784 * https://github.com/02strich/pykerberos/commit/873fca96cb42ff1c163859a5618dc9983796f438 [Updated to not verify by default, to match the default in Ubuntu 12.04 LTS (before reacing EoL) and in debian Jessie, so as to not break existing configurations. --sbeattie] --- pysrc/kerberos.py | 4 +++- src/kerberos.c | 5 +++-- src/kerberosbasic.c | 41 ++++++++++++++++++++++++++++++++++------- src/kerberosbasic.h | 2 +- 4 files changed, 41 insertions(+), 11 deletions(-) diff --git a/pysrc/kerberos.py b/pysrc/kerberos.py index 8c6a712..4fa9df3 100644 --- a/pysrc/kerberos.py +++ b/pysrc/kerberos.py @@ -27,7 +27,7 @@ class BasicAuthError(KrbError): class GSSError(KrbError): pass -def checkPassword(user, pswd, service, default_realm): +def checkPassword(user, pswd, service, default_realm, verify=False): """ This function provides a simple way to verify that a user name and password match those normally used for Kerberos authentication. It does this by checking that the @@ -49,6 +49,8 @@ def checkPassword(user, pswd, service, default_realm): @param default_realm: a string containing the default realm to use if one is not supplied in the user argument. Note that Kerberos realms are normally all uppercase (e.g., 'EXAMPLE.COM'). + @param verify: a boolean flagging KDC verification to enabled or disabled + (default: False). @return: True if authentication succeeds, False otherwise. """ diff --git a/src/kerberos.c b/src/kerberos.c index 740d9e1..4427797 100644 --- a/src/kerberos.c +++ b/src/kerberos.c @@ -31,12 +31,13 @@ static PyObject *checkPassword(PyObject *self, PyObject *args) const char *pswd = NULL; const char *service = NULL; const char *default_realm = NULL; + int verify = 0; int result = 0; - if (!PyArg_ParseTuple(args, "ssss", &user, &pswd, &service, &default_realm)) + if (!PyArg_ParseTuple(args, "ssss|b", &user, &pswd, &service, &default_realm, &verify)) return NULL; - result = authenticate_user_krb5pwd(user, pswd, service, default_realm); + result = authenticate_user_krb5pwd(user, pswd, service, default_realm, verify); if (result) return Py_INCREF(Py_True), Py_True; diff --git a/src/kerberosbasic.c b/src/kerberosbasic.c index 0c7bdd7..27d7c4f 100644 --- a/src/kerberosbasic.c +++ b/src/kerberosbasic.c @@ -26,9 +26,9 @@ extern PyObject *BasicAuthException_class; static void set_basicauth_error(krb5_context context, krb5_error_code code); -static krb5_error_code verify_krb5_user(krb5_context context, krb5_principal principal, const char *password, krb5_principal server); +static krb5_error_code verify_krb5_user(krb5_context context, krb5_principal principal, const char *password, krb5_principal server, unsigned char verify); -int authenticate_user_krb5pwd(const char *user, const char *pswd, const char *service, const char *default_realm) +int authenticate_user_krb5pwd(const char *user, const char *pswd, const char *service, const char *default_realm, unsigned char verify) { krb5_context kcontext = NULL; krb5_error_code code; @@ -87,7 +87,7 @@ int authenticate_user_krb5pwd(const char *user, const char *pswd, const char *se goto end; } - code = verify_krb5_user(kcontext, client, pswd, server); + code = verify_krb5_user(kcontext, client, pswd, server, verify); if (code) { @@ -113,10 +113,11 @@ end: } /* Inspired by krb5_verify_user from Heimdal */ -static krb5_error_code verify_krb5_user(krb5_context context, krb5_principal principal, const char *password, krb5_principal server) +static krb5_error_code verify_krb5_user(krb5_context context, krb5_principal principal, const char *password, krb5_principal server, unsigned char verify) { krb5_creds creds; - krb5_get_init_creds_opt gic_options; + krb5_get_init_creds_opt *gic_options; + krb5_verify_init_creds_opt vic_options; krb5_error_code ret; char *name = NULL; @@ -131,17 +132,43 @@ static krb5_error_code verify_krb5_user(krb5_context context, krb5_principal pri free(name); } - krb5_get_init_creds_opt_init(&gic_options); - ret = krb5_get_init_creds_password(context, &creds, principal, (char *)password, NULL, NULL, 0, NULL, &gic_options); + // verify passed in server principal if needed + if (verify) { + ret = krb5_unparse_name(context, server, &name); + if (ret == 0) { +#ifdef PRINTFS + printf("Trying to get TGT for service %s\n", name); +#endif + free(name); + } + } + + // verify password + krb5_get_init_creds_opt_alloc(context, &gic_options); + ret = krb5_get_init_creds_password(context, &creds, principal, (char *)password, NULL, NULL, 0, NULL, gic_options); if (ret) { set_basicauth_error(context, ret); goto end; } + // verify response authenticity + if (verify) { + krb5_verify_init_creds_opt_init(&vic_options); + krb5_verify_init_creds_opt_set_ap_req_nofail(&vic_options, 1); + ret = krb5_verify_init_creds(context, &creds, server, NULL, NULL, &vic_options); + if (ret) { + set_basicauth_error(context, ret); + } + } + end: + // clean up krb5_free_cred_contents(context, &creds); + if (gic_options) + krb5_get_init_creds_opt_free(context, gic_options); + return ret; } diff --git a/src/kerberosbasic.h b/src/kerberosbasic.h index 0a91455..f3cfce5 100644 --- a/src/kerberosbasic.h +++ b/src/kerberosbasic.h @@ -20,4 +20,4 @@ #define krb5_get_err_text(context,code) error_message(code) -int authenticate_user_krb5pwd(const char *user, const char *pswd, const char *service, const char *default_realm); +int authenticate_user_krb5pwd(const char *user, const char *pswd, const char *service, const char *default_realm, unsigned char verify); debian/patches/series0000664000000000000000000000007613170170541012036 0ustar Add-KDC-authenticity-verification-support-CVE-2015-3206.patch debian/NEWS0000664000000000000000000000435713170211606007675 0ustar pykerberos (1.1+svn10616-2ubuntu0.1) trusty-security; urgency=medium The python-kerberos checkPassword() method has been badly insecure in previous releases. It used to do (and still does by default) a kinit (AS-REQ) to ask a KDC for a TGT for the given user principal, and interprets the success or failure of that as indicating whether the password is correct. It does not, however, verify that it actually spoke to a trusted KDC: an attacker may simply reply instead with an AS-REP which matches the password he just gave you. . Imagine you were verifying a password using LDAP authentication rather than Kerberos: you would, of course, use TLS in conjunction with LDAP to make sure you were talking to a real, trusted LDAP server. The same requirement applies here. kinit is not a password-verification service. . The usual way of doing this is to take the TGT you've obtained with the user's password, and then obtain a ticket for a principal for which the verifier has keys (e.g. a web server processing a username/password form login might get a ticket for its own HTTP/host@REALM principal), which it can then verify. Note that this requires that the verifier has its own Kerberos identity, which is mandated by the symmetric nature of Kerberos (whereas in the LDAP case, the use of public-key cryptography allows anonymous verification). . The fact of pykerberos being susceptible to KDC spoofing attacks has been filed as CVE-2015-3206. . With this version of the pykerberos package a new option is introduced for the checkPassword() method. Setting verify to True when using checkPassword() will perform a KDC verification. For this to work, you need to provide a krb5.keytab file containing service principal keys for the service you intend to use. . As the default krb5.keytab file in /etc is normally not accessible by non-root users/processes, you have to make sure a custom krb5.keytab file containing the correct principal keys is provided to your application using the KRB5_KTNAME environment variable. . Note: In Ubuntu 14.04 LTS, KDC verification support is disabled by default in order not to break existing setups. -- Guido Günther Sat, 22 Aug 2015 12:08:41 +0200 debian/copyright0000664000000000000000000000134711320710721011122 0ustar This package was debianized by Guido Guenther on Thu, 24 Aug 2006 14:38:08 +0200. It was downloaded from http://svn.calendarserver.org/repository/calendarserver/PyKerberos/ Upstream Author: Cyrus Daboo Copyright: 2006 Apple Computer, Inc. All rights reserved. License: Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ On Debian GNU/Linux systems, the complete text of the Apache License Version 2.0 can be found in `/usr/share/common-licenses/Apache-2.0'. The Debian packaging is (C) 2008, Guido Guenther and is licensed under the GPL, see `/usr/share/common-licenses/GPL'. debian/rules0000775000000000000000000000011412263277720010254 0ustar #!/usr/bin/make -f %: dh $@ --with python2 --buildsystem=python_distutils debian/docs0000664000000000000000000000003511320710721010033 0ustar README.txt pysrc/kerberos.py debian/changelog0000664000000000000000000001464313170211655011053 0ustar pykerberos (1.1+svn10616-2ubuntu0.1) trusty-security; urgency=medium * SECURITY UPDATE: The checkPassword function does not authenticate the KDC it attempts to communicate with (LP: #1716429) - Add-KDC-authenticity-verification-support-CVE-2015-3206.patch retrieved from xenial version (1.1.5-2build1). - CVE-2015-3206 - debian/NEWS: add explanation of issue and default chosen -- Mathieu Lafon Thu, 05 Oct 2017 09:32:55 +0200 pykerberos (1.1+svn10616-2) unstable; urgency=low [ Dr. Torge Szczepanek ] * [283e15c] Switch to dpkg-source 3.0 (quilt) format * upload to unstable * Thanks to Guido Günther providing assistance on adoption [ Guido Günther ] * [c040b5a] Add Torge to uploaders * [73df52a] Bump standards version -- Dr. Torge Szczepanek Mon, 13 Jan 2014 15:05:59 +0100 pykerberos (1.1+svn10616-1) unstable; urgency=low * [ef7f26c] New upstream version 1.1+svn10616 * [aa395ca] Remove article form package description to make lintian happy. * [d74731c] Bump standards version -- Guido Günther Sat, 02 Nov 2013 20:46:45 +0100 pykerberos (1.1+svn4895-1) unstable; urgency=low * [d6e470d] fix typo in package description (Closes: #520276) - thanks to Era Eriksson * [9667199] Imported Upstream version 1.1+svn4895 * [c253ce0] Set maintainer to Calendarserver Maintainers * [b81ee0b] Bump standards version * Many thanks to Rahul Amaram for preparing this -- Guido Günther Tue, 05 Jan 2010 20:30:33 +0100 pykerberos (1.1-3) unstable; urgency=low * upload to unstable * [13c43c2] fix maintainer -- Guido Günther Fri, 21 Nov 2008 14:03:31 +0100 pykerberos (1.1-2) experimental; urgency=low * [f68dfb7] remove duplicate doc entry * [cd1a498] bump standards version * [97d849a] install API docs * [a34e869] install example * [f302b04] don't ship the full Apache 2.0 license * [71c4d36] remove quilt build-dep -- Guido Guenther Fri, 19 Sep 2008 12:43:55 +0200 pykerberos (1.1-1) experimental; urgency=low * [21a4f56] Imported Upstream version 1.1 * [62890cd] remove all patches - applied upstream * [ac87947] disable patchsys quilt -- Guido Guenther Fri, 19 Sep 2008 11:35:05 +0200 pykerberos (1.0+svn2455-1) unstable; urgency=low * [fc16d01] Forward to SVN revision 2455 * [310bf2b] New patches: 0001-all-invocations-of-PyCObject_Check-pystate-should-r.patch: don't return error without setting an exception 0001-make-the-user-parameter-optional.patch: make gss_wrap/unwrap more flexible * [54f6106] Drop patches includeded upstream: 0001-Some-useful- constants.patch 0002-Wrap-Unwrap.patch 0003-Remove-some-OS-X- specific-descriptions.patch series -- Guido Guenther Thu, 19 Jun 2008 14:21:57 +0200 pykerberos (1.0+svn2447-1) unstable; urgency=low * upload to unstable * [39186bf] new upsteram SVN snapshot @2447 that has out password changing support (Trac: #256) merged * [b54f64b] Pick our wrap/unwrap patches from the more-kerberos branch of upstream's svn (Trac: #213, #214) * [5d197f5] reenable quilt -- Guido Guenther Fri, 23 May 2008 10:09:01 +0200 pykerberos (1.0+mk080218-1) experimental; urgency=low * new version based on upstream's more-kerberos branch that basically consists ouf our patches: http://trac.macosforge.org/projects/calendarserver/ticket/213 http://trac.macosforge.org/projects/calendarserver/ticket/214 plus the so far unapplied: http://trac.macosforge.org/projects/calendarserver/ticket/256 * Python should be uppercase according to lintian, thanks! * bump standards version * drop python-includes.diff - fixed upstream -- Guido Guenther Mon, 18 Feb 2008 10:41:19 +0100 pykerberos (1.0-1) unstable; urgency=low * "New" upstream version * Upstream finally tagged a 1.0 version (which is identical to 0.0.svn1541) -- Guido Guenther Fri, 26 Oct 2007 13:14:57 +0200 pykerberos (0.0.svn1541-1) unstable; urgency=low * Forward to upstream svn revision 1541 * new patch: python_includes.diff, upstream broke the python.h include again -- Guido Guenther Sat, 04 Aug 2007 23:27:24 +0200 pykerberos (0.0.svn271-2) unstable; urgency=low * build depend on python-all-dev, thanks to Cyril Brulebois (Closes: #432353) * allow the package into testing (Closes: #392540) -- Guido Guenther Mon, 16 Jul 2007 13:37:53 -0400 pykerberos (0.0.svn271-1) unstable; urgency=low * New Upstream Version. This fixes the bad error reporting, so after the API is approved stable upstream we can move this package back to testing. * dropped patches: fix-setup: fixed upstream -- Guido Guenther Fri, 3 Nov 2006 18:01:08 +0100 pykerberos (0.0.svn202-1) unstable; urgency=low * New Upstream Version * dropped patches: kerberos-includes: applied upstream python-includes: not needed anymore since upstream uses standard include paths now * modified patches: fix-setup: most of it applied upstream, oneliner now -- Guido Guenther Wed, 27 Sep 2006 10:06:54 +0200 pykerberos (0.0.svn124-2) unstable; urgency=low * use MIT kerberos instead of heimdal kerberos. This makes it easier for us to keep close to upstream. * dropped patches: declare-nt-service - not needed with MIT kerberos * modified patches: kerberos-includes setup.py pass the include dirs via setup.py instead of #ifdef'ing them in the header files -- Guido Guenther Fri, 15 Sep 2006 13:57:13 +0200 pykerberos (0.0.svn124-1) unstable; urgency=low * new upstream SVN version * drop patches: - printf-cleanups - include-stdlib applied upstream * remove superflous debian/dirs -- Guido Guenther Wed, 13 Sep 2006 18:59:24 +0200 pykerberos (0.0.svn96-1) unstable; urgency=low * new upstream SVN version -- Guido Guenther Fri, 8 Sep 2006 19:28:27 +0200 pykerberos (0.0.svn55-2) unstable; urgency=low * rename to python-kerberos -- Guido Guenther Thu, 7 Sep 2006 19:00:54 +0200 pykerberos (0.0.svn55-1) unstable; urgency=low * Initial release (Closes: #384589) -- Guido Guenther Thu, 24 Aug 2006 14:38:08 +0200