diff options
author | Stefan Metzmacher <metze@samba.org> | 2022-12-05 21:45:08 +0100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2022-12-13 13:07:29 +0000 |
commit | 0248907e34945153ff2be62dc11d75c956a05932 (patch) | |
tree | 72d6f62b9d1a33bef42789205dd7e0384522c09d /libcli | |
parent | c0c25cc0217b082c12330a8c47869c8428a20d0c (diff) | |
download | samba-0248907e34945153ff2be62dc11d75c956a05932.tar.gz |
CVE-2022-37966 libcli/auth: let netlogon_creds_cli_warn_options() about "kerberos encryption types=legacy"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Diffstat (limited to 'libcli')
-rw-r--r-- | libcli/auth/netlogon_creds_cli.c | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c index 0f4f7ad761e..118c81f6246 100644 --- a/libcli/auth/netlogon_creds_cli.c +++ b/libcli/auth/netlogon_creds_cli.c @@ -269,10 +269,12 @@ void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx) bool global_require_strong_key = lpcfg_require_strong_key(lp_ctx); int global_client_schannel = lpcfg_client_schannel(lp_ctx); bool global_seal_secure_channel = lpcfg_winbind_sealed_pipes(lp_ctx); + int global_kerberos_enctypes = lpcfg_kerberos_encryption_types(lp_ctx); static bool warned_global_reject_md5_servers = false; static bool warned_global_require_strong_key = false; static bool warned_global_client_schannel = false; static bool warned_global_seal_secure_channel = false; + static bool warned_global_kerberos_encryption_types = false; static int warned_global_pid = 0; int current_pid = tevent_cached_getpid(); @@ -281,6 +283,7 @@ void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx) warned_global_require_strong_key = false; warned_global_client_schannel = false; warned_global_seal_secure_channel = false; + warned_global_kerberos_encryption_types = false; warned_global_pid = current_pid; } @@ -323,6 +326,18 @@ void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx) "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n"); warned_global_seal_secure_channel = true; } + + if (global_kerberos_enctypes == KERBEROS_ETYPES_LEGACY && + !warned_global_kerberos_encryption_types) + { + /* + * We want admins to notice their misconfiguration! + */ + DBG_ERR("CVE-2022-37966: " + "Please void 'kerberos encryption types = legacy', " + "See https://bugzilla.samba.org/show_bug.cgi?id=15237\n"); + warned_global_kerberos_encryption_types = true; + } } NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx, |