Bug 1540086

Summary: [RFE] make preauth types more descriptive in krb5 trace
Product: [Fedora] Fedora Reporter: Alexander Bokovoy <abokovoy>
Component: krb5Assignee: Robbie Harwood <rharwood>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: abokovoy, j, nalin, npmccallum, rharwood, sbose, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: https://github.com/krb5/krb5/pull/746
Whiteboard:
Fixed In Version: krb5-1.16-18.fc28 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1540130 (view as bug list) Environment:
Last Closed: 2018-04-01 19:07:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1540130    

Description Alexander Bokovoy 2018-01-30 09:15:55 UTC 
When pre-auth mechanisms reported in an AS-REQ/AS-REP exchange between Kerberos initiator and a KDC, there is no way to tell what they are except knowing them by heart.

It would be nice to have KRB5_TRACE to provide a name of a preauth module that handles a specific mechanism.

An example:
$ KRB5_TRACE=/dev/stderr kinit abbra
[30477] 1517302644.484474: Resolving unique ccache of type KEYRING
[30477] 1517302644.484475: Getting initial credentials for abbra
[30477] 1517302644.484477: Sending request (183 bytes) to FEDORAPROJECT.ORG
[30477] 1517302644.484478: Resolving hostname id.fedoraproject.org
[30477] 1517302645.51056: TLS certificate name matched "id.fedoraproject.org"
[30477] 1517302645.51057: Sending HTTPS request to https 140.211.169.206:443
[30477] 1517302645.51058: Received answer (317 bytes) from https 140.211.169.206:443
[30477] 1517302645.51059: Terminating TCP connection to https 140.211.169.206:443
[30477] 1517302646.200324: Response was not from master KDC
[30477] 1517302646.200325: Received error from KDC: -1765328359/Additional pre-authentication required
[30477] 1517302646.200328: Processing preauth types: 16, 15, 14, 136, 19, 147, 2, 133

In the line above we have a list of preauth types returned by the KDC but no explanation on what the preauth modules could handle them.

[30477] 1517302646.200329: Selected etype info: etype aes256-cts, salt " !;%S"YOH=nT;>h>", params ""
[30477] 1517302646.200330: Received cookie: MIT
Password for abbra: 
[30477] 1517302651.883541: AS key obtained for encrypted timestamp: aes256-cts/02B4
[30477] 1517302651.883543: Encrypted timestamp (for 1517302651.177437): plain 301AA011180F32303138303133303038353733315AA105020302B51D, encrypted A62EAB9C8913CCE3C6B7E955B830510CC42F565DF925A63C97E6178EC245F17D4C871148DECA652E9A64120ED608E8283E06C9B284B4EEEE
[30477] 1517302651.883544: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[30477] 1517302651.883545: Produced preauth for next request: 133, 2

Here we chose two modules for next request but only one module explains its preauth type. It would be good to have all of them covered.

[30477] 1517302651.883546: Sending request (278 bytes) to FEDORAPROJECT.ORG
[30477] 1517302651.883547: Resolving hostname id.fedoraproject.org
[30477] 1517302652.258952: TLS certificate name matched "id.fedoraproject.org"
[30477] 1517302652.258953: Sending HTTPS request to https 209.132.190.2:443
[30477] 1517302652.258954: Received answer (743 bytes) from https 209.132.190.2:443
[30477] 1517302652.258955: Terminating TCP connection to https 209.132.190.2:443
[30477] 1517302653.408571: Response was not from master KDC
[30477] 1517302653.408572: Processing preauth types: 19

Here we get another preauth type response but no explanation of the module handling the type.

[30477] 1517302653.408573: Selected etype info: etype aes256-cts, salt " !;%S"YOH=nT;>h>", params ""
[30477] 1517302653.408574: Produced preauth for next request: (empty)
[30477] 1517302653.408575: AS key determined by preauth: aes256-cts/02B4
[30477] 1517302653.408576: Decrypted AS reply; session key is: aes256-cts/01D7
[30477] 1517302653.408577: FAST negotiation: available

Having preauth module name annotated next to the preauth type could help with debugging and also to support cases.
Comment 1 Fedora Update System 2018-03-20 16:49:17 UTC 
krb5-1.16-12.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-87572156a2
Comment 2 Fedora Update System 2018-03-21 14:13:39 UTC 
krb5-1.16-12.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-87572156a2
Comment 3 Fedora Update System 2018-03-27 18:42:31 UTC 
krb5-1.16-17.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-247afd0f8c
Comment 4 Fedora Update System 2018-03-27 23:23:12 UTC 
krb5-1.16-17.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-247afd0f8c
Comment 5 Fedora Update System 2018-03-29 15:21:45 UTC 
krb5-1.16-18.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a0cb211d9c
Comment 6 Fedora Update System 2018-03-30 15:17:26 UTC 
krb5-1.16-18.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a0cb211d9c
Comment 7 Fedora Update System 2018-04-01 19:07:23 UTC 
krb5-1.16-18.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.