Bug 1076197

Summary: please add support for rxkad-kdf for AFS tokens
Product: [Fedora] Fedora Reporter: Benjamin Kaduk <kaduk-rhbz>
Component: pam_krb5Assignee: Robbie Harwood <rharwood>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: 22CC: dhowells, dpal, jaltman, jhrozek, nalin, sbose
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pam_krb5-2.4.12-1.fc23 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-08 20:53:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Benjamin Kaduk 2014-03-13 18:33:10 UTC 
Description of problem:

pam_krb5 supports obtaining AFS tokens, but only supports tokens using the traditional 2b and rxk5 token formats, requiring a single-DES session key in the kerberos ticket.  Since many sites are trying to disable the use of single-DES for kerberos, a KDF algorithm has been specified for using kerberos session keys of other enctypes to produce fcrypt keys that can be used for AFS tokens.  This allows single-DES to be disabled at the KDC, although it does not change the fcrypt encryption used by AFS on the wire.  Having pam_krb5 support this new rxkad-kdf token scheme would make it easier for sites to disable the use of single-DES in kerberos.


Additional info:

This KDF scheme was originally published at http://lists.openafs.org/pipermail/afs3-standardization/2013-July/002738.html .  The same document is also available (under a different name/number) through the IETF tools, at http://tools.ietf.org/html/draft-kaduk-afs3-rxkad-k5-kdf-00 .
Single-DES is officially deprecated for use in Kerberos, per http://tools.ietf.org/html/rfc6649 .
Comment 1 Dmitri Pal 2014-03-14 17:43:48 UTC 
I suspect you will have 0 success with pam_krb5 as this is a dying breed. I suggest you look at SSSD, open a similar ticket for it and contribute a feature.
Please start with opening and SSSD upstream ticket.
Comment 2 Jaroslav Reznik 2015-03-03 15:34:38 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle.
Changing version to '22'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22
Comment 3 Fedora Admin XMLRPC Client 2015-09-08 17:51:25 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 4 Nalin Dahyabhai 2016-01-05 15:19:29 UTC 
I think this should work correctly in the just-tagged 2.4.12.
Comment 5 Fedora Update System 2016-01-06 16:25:30 UTC 
pam_krb5-2.4.12-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-da1145ad41
Comment 6 Fedora Update System 2016-01-07 04:53:31 UTC 
pam_krb5-2.4.12-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-da1145ad41
Comment 7 Fedora Update System 2016-01-08 20:53:14 UTC 
pam_krb5-2.4.12-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.