mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
CVE-2022-2031 tests/krb5: Add test that we cannot provide a TGT to kpasswd
The kpasswd service should require a kpasswd service ticket, and disallow TGTs. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> [jsutton@samba.org Fixed knownfail conflicts]
This commit is contained in:
parent
7ee246ef9c
commit
ff66f68a11
@ -31,6 +31,7 @@ from samba.tests.krb5.rfc4120_constants import (
|
||||
KDC_ERR_TGT_REVOKED,
|
||||
KDC_ERR_TKT_EXPIRED,
|
||||
KPASSWD_ACCESSDENIED,
|
||||
KPASSWD_AUTHERROR,
|
||||
KPASSWD_HARDERROR,
|
||||
KPASSWD_INITIAL_FLAG_NEEDED,
|
||||
KPASSWD_MALFORMED,
|
||||
@ -779,6 +780,33 @@ class KpasswdTests(KDCBaseTest):
|
||||
self._make_tgs_request(creds, service_creds, ticket,
|
||||
expect_error=False)
|
||||
|
||||
# Show that we cannot provide a TGT to kpasswd to change the password.
|
||||
def test_kpasswd_tgt(self):
|
||||
# Create an account for testing, and get a TGT.
|
||||
creds = self._get_creds()
|
||||
tgt = self.get_tgt(creds)
|
||||
|
||||
# Change the sname of the ticket to match that of kadmin/changepw.
|
||||
tgt.set_sname(self.get_kpasswd_sname())
|
||||
|
||||
expected_code = KPASSWD_AUTHERROR
|
||||
expected_msg = b'A TGT may not be used as a ticket to kpasswd'
|
||||
|
||||
# Set the password.
|
||||
new_password = generate_random_password(32, 32)
|
||||
self.kpasswd_exchange(tgt,
|
||||
new_password,
|
||||
expected_code,
|
||||
expected_msg,
|
||||
mode=self.KpasswdMode.SET)
|
||||
|
||||
# Change the password.
|
||||
self.kpasswd_exchange(tgt,
|
||||
new_password,
|
||||
expected_code,
|
||||
expected_msg,
|
||||
mode=self.KpasswdMode.CHANGE)
|
||||
|
||||
# Test that kpasswd rejects requests with a service ticket.
|
||||
def test_kpasswd_non_initial(self):
|
||||
# Create an account for testing, and get a TGT.
|
||||
|
@ -48,3 +48,6 @@
|
||||
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_not_revealed
|
||||
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_not_revealed
|
||||
#
|
||||
# Kpasswd tests
|
||||
#
|
||||
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_tgt.ad_dc
|
||||
|
@ -550,3 +550,7 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
|
||||
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc
|
||||
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize_realm_case.ad_dc
|
||||
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc
|
||||
#
|
||||
# Kpasswd tests
|
||||
#
|
||||
samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_tgt.ad_dc
|
||||
|
Loading…
Reference in New Issue
Block a user