Bug 1431589

After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.

After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.

Upstream patches:
https://listman.redhat.com/archives/libvir-list/2021-November/msg00120.html

Pushed upstream as:
commit 58a48cff840d623822eaf34c4a08cb364cc26f2f
Author:     Ján Tomko <jtomko>
CommitDate: 2021-11-04 17:02:56 +0100

    daemon: add tcp_min_ssf option
    
    Add an option to allow the admin to requet a higher minimum SSF
    for connections than the built-in default.
    
    The current default is 56 (single DES equivalent, to support
    old kerberos) and will be raised to 112 in the future.
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1431589
    
    Signed-off-by: Ján Tomko <jtomko>
    Reviewed-by: Michal Privoznik <mprivozn>

git describe: v7.9.0-56-g58a48cff84

Tested with libvirt-7.10.0-1.el9.x86_64:

1. configure virtproxyd.conf
# cat /etc/libvirt/virtproxyd.conf
tcp_min_ssf = 56

2. restart virtproxyd
# systemctl restart virtproxyd
Job for virtproxyd.service failed because the control process exited with error code.
See "systemctl status virtproxyd.service" and "journalctl -xeu virtproxyd.service" for details.

3. check the log
...
 error : main:925 : Can't load config file: unsupported configuration: minimum SSF levels lower than 112 are not supported: /etc/libvirt/virtproxyd.conf
...

1. The krb5.conf are configured as follows:

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 allow_weak_crypto = true
 default_realm = LAB.ENG.PEK2.REDHAT.COM

[realms]
 LAB.ENG.PEK2.REDHAT.COM = {
     kdc = kdc.lab.eng.pek2.redhat.com:88
     admin_server = kdc.lab.eng.pek2.redhat.com:749
 }

[domain_realm]
 .lab.eng.pek2.redhat.com = LAB.ENG.PEK2.REDHAT.COM
 lab.eng.pek2.redhat.com = LAB.ENG.PEK2.REDHAT.COM

2. Then I set the encryption type of the principle to single-des:
kadmin.local:  getprinc root/admin
Principal: root/admin.PEK2.REDHAT.COM
Expiration date: [never]
Last password change: Mon Dec 13 11:35:13 CST 2021
Password expiration date: [never]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Mon Dec 13 11:35:13 CST 2021 (root/admin.PEK2.REDHAT.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 1, des-cbc-md5
MKey: vno 1
Attributes:
Policy: [none]

3. Then I tried to connect to the kdc on RHEL9
# rpm -qa |grep krb5
krb5-libs-1.19.1-12.el9.x86_64
krb5-pkinit-1.19.1-12.el9.x86_64
krb5-server-1.19.1-12.el9.x86_64
krb5-workstation-1.19.1-12.el9.x86_64

# kadmin
Authenticating as principal root/admin.PEK2.REDHAT.COM with password.
kadmin: KDC has no support for encryption type while initializing kadmin interface

I can not connect to kdc, but I can make it on REHL7

Hi, Jan

I want the ssf on kdc is less than 112 to trigger the warning. But I can not connect to kdc under the above configuration.
Am I on the right the direction? Please help to take a look. Thanks

Hi, Jan

I checked the doc again:
https://web.mit.edu/kerberos/www/krb5-latest/doc/admin/enctypes.html
It is said "krb5 releases 1.18 and later do not support single-DES".
Please help on how to trigger the warning. Thanks

Oops, I don't think it can be easily tested if krb5-libs no longer supports it.
The good thing is that if it's unsupported by that package, people are less
likely to be using it.

If I remember correctly, back when I tried the patches, I cheated by using
a version of the daemon with a higher hardcoded value.

Verify this bug with:
libvirt-7.10.0-1.el9.x86_64

1. configure virtproxyd.conf
# cat /etc/libvirt/virtproxyd.conf
tcp_min_ssf = 56

2. restart virtproxyd
# systemctl restart virtproxyd
Job for virtproxyd.service failed because the control process exited with error code.
See "systemctl status virtproxyd.service" and "journalctl -xeu virtproxyd.service" for details.

3. check the log
...
 error : main:925 : Can't load config file: unsupported configuration: minimum SSF levels lower than 112 are not supported: /etc/libvirt/virtproxyd.conf
...

4. set the tcp_min_ssf value to 256
tcp_min_ssf = 256

5. restart virtproxyd
# systemctl restart virtproxyd

# echo $?
0

As the testing result matches with the expected result, mark the bug as verified.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: libvirt), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2390