Bug 1540130

Summary: [RFE] make preauth types more descriptive in krb5 trace
Product: Red Hat Enterprise Linux 7 Reporter: Robbie Harwood <rharwood>
Component: krb5Assignee: Robbie Harwood <rharwood>
Status: CLOSED ERRATA QA Contact: Patrik Kis <pkis>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.4CC: abokovoy, dpal, extras-qa, j, nalin, npmccallum, pkis, rharwood, sbose, ssorce
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: https://github.com/krb5/krb5/pull/746
Whiteboard:
Fixed In Version: krb5-1.15.1-32.el7 Doc Type: Enhancement
Doc Text:
Feature: human-readable preauth names in krb5 traces Reason: debugability, especially for support Result: fewer magic numbers in debug output
 Story Points: ---
Clone Of: 1540086 Environment:
Last Closed: 2018-10-30 08:08:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1540086    
Bug Blocks:    

Description Robbie Harwood 2018-01-30 10:29:01 UTC 
+++ This bug was initially created as a clone of Bug #1540086 +++

When pre-auth mechanisms reported in an AS-REQ/AS-REP exchange between Kerberos initiator and a KDC, there is no way to tell what they are except knowing them by heart.

It would be nice to have KRB5_TRACE to provide a name of a preauth module that handles a specific mechanism.

An example:
$ KRB5_TRACE=/dev/stderr kinit abbra
[30477] 1517302644.484474: Resolving unique ccache of type KEYRING
[30477] 1517302644.484475: Getting initial credentials for abbra
[30477] 1517302644.484477: Sending request (183 bytes) to FEDORAPROJECT.ORG
[30477] 1517302644.484478: Resolving hostname id.fedoraproject.org
[30477] 1517302645.51056: TLS certificate name matched "id.fedoraproject.org"
[30477] 1517302645.51057: Sending HTTPS request to https 140.211.169.206:443
[30477] 1517302645.51058: Received answer (317 bytes) from https 140.211.169.206:443
[30477] 1517302645.51059: Terminating TCP connection to https 140.211.169.206:443
[30477] 1517302646.200324: Response was not from master KDC
[30477] 1517302646.200325: Received error from KDC: -1765328359/Additional pre-authentication required
[30477] 1517302646.200328: Processing preauth types: 16, 15, 14, 136, 19, 147, 2, 133

In the line above we have a list of preauth types returned by the KDC but no explanation on what the preauth modules could handle them.

[30477] 1517302646.200329: Selected etype info: etype aes256-cts, salt " !;%S"YOH=nT;>h>", params ""
[30477] 1517302646.200330: Received cookie: MIT
Password for abbra: 
[30477] 1517302651.883541: AS key obtained for encrypted timestamp: aes256-cts/02B4
[30477] 1517302651.883543: Encrypted timestamp (for 1517302651.177437): plain 301AA011180F32303138303133303038353733315AA105020302B51D, encrypted A62EAB9C8913CCE3C6B7E955B830510CC42F565DF925A63C97E6178EC245F17D4C871148DECA652E9A64120ED608E8283E06C9B284B4EEEE
[30477] 1517302651.883544: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[30477] 1517302651.883545: Produced preauth for next request: 133, 2

Here we chose two modules for next request but only one module explains its preauth type. It would be good to have all of them covered.

[30477] 1517302651.883546: Sending request (278 bytes) to FEDORAPROJECT.ORG
[30477] 1517302651.883547: Resolving hostname id.fedoraproject.org
[30477] 1517302652.258952: TLS certificate name matched "id.fedoraproject.org"
[30477] 1517302652.258953: Sending HTTPS request to https 209.132.190.2:443
[30477] 1517302652.258954: Received answer (743 bytes) from https 209.132.190.2:443
[30477] 1517302652.258955: Terminating TCP connection to https 209.132.190.2:443
[30477] 1517302653.408571: Response was not from master KDC
[30477] 1517302653.408572: Processing preauth types: 19

Here we get another preauth type response but no explanation of the module handling the type.

[30477] 1517302653.408573: Selected etype info: etype aes256-cts, salt " !;%S"YOH=nT;>h>", params ""
[30477] 1517302653.408574: Produced preauth for next request: (empty)
[30477] 1517302653.408575: AS key determined by preauth: aes256-cts/02B4
[30477] 1517302653.408576: Decrypted AS reply; session key is: aes256-cts/01D7
[30477] 1517302653.408577: FAST negotiation: available

Having preauth module name annotated next to the preauth type could help with debugging and also to support cases.
Comment 10 errata-xmlrpc 2018-10-30 08:08:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3071