Bug 1571754

Summary: kinit failing for radius user when FIPS mode is enabled
Product: Red Hat Enterprise Linux 7 Reporter: Mohammad Rizwan <myusuf>
Component: doc-Linux_Domain_Identity_Management_GuideAssignee: Marc Muehlfeld <mmuehlfe>
Status: CLOSED CURRENTRELEASE QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: high    
Version: 7.5CC: abokovoy, fhanzelk, frenaud, mkosek, myusuf, omoris, pasik, pkis, pvoborni, rcritten, rharwood, rhel-docs, rmitra, tscherf, vmishra
Target Milestone: rcKeywords: Documentation
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
RADIUS proxy functionality is now also available in IdM running in FIPS mode In FIPS mode, OpenSSL disables the use of the MD5 digest algorithm by default. Consequently, because the RADIUS protocol requires MD5 to encrypt a secret between the RADIUS client and the RADIUS server, the unavailability of MD5 in FIPS mode causes the RHEL Identity Management (IdM) RADIUS proxy server to fail. If the RADIUS server is running on the same host as the IdM master, you can work around the problem and enable MD5 within the secure perimeter. To do that, create a file /etc/systemd/system/radiusd.service.d/ipa-otp.conf with the following content: # /etc/systemd/system/radiusd.service.d/ipa-otp.conf [Service] Environment=OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW=1 To apply the change, reload the *systemd* configuration: # systemctl daemon-reload and start the *radiusd* service: # systemctl start radiusd The configuration of the RADIUS proxy requires the use of a common secret between the client and the server to wrap credentials. Specify this secret in the configuration of the RADIUS proxy in RHEL IdM using the command line interface (CLI) or web UI. To do it in the CLI: # ipa radiusproxy-add name_of_your_proxy_server --secret your_secret
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-04-09 10:31:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1559484    

Description Mohammad Rizwan 2018-04-25 11:17:33 UTC 
Description of problem:
kinit failing for radius user when FIPS mode is enabled

Version-Release number of selected component (if applicable):
ipa-server-4.5.4-10.el7_5.1.x86_64

How reproducible:
always

Steps to Reproduce:
1) yum install freeradius freeradius-ldap freeradius-utils

2) add ipa user
    $ ipa user-add --first None --last None radiususer --passwd

3) add radiusproxy
   $ ipa radiusproxy-add radiusproxy01 --server=127.0.0.1

4) modify radius user
   $ kinit admin
   $ ipa user-mod --user-auth-type=radius radiususer
   $ ipa user-mod --radius=radiusproxy01

5) add following user entry to /etc/raddb/users
   radiususer  Cleartext-Password := "Secret123"

6) start radisud
   $ systemctl start radiusd

7) try login
   $ kdestroy -A
   $ kswitch -c KEYRING:persistent:0:0
   $ kinit admin
   $ kinit -T KEYRING:persistent:0:0 radiususer

Actual results:
kinit: Preauthentication failed while getting initial credentials

Expected results:
kinit pass
Comment 2 Rob Crittenden 2018-05-18 20:15:32 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7551
Comment 3 Robbie Harwood 2018-05-21 16:25:36 UTC 
Do we have a test setup for this?  Would help to identify which component needs fixed.
Comment 4 Mohammad Rizwan 2018-05-22 06:01:21 UTC 
Hi Robbie,

I don't have setup at the moment. I'll spin one and provide machine details.
Comment 6 Robbie Harwood 2018-05-23 15:05:20 UTC 
Thanks Mohammad.

It appears that radiusd dying to SIGABRT causes the kinit failure.  Here's a traceback:

(gdb) bt
#0  0x00007fd37e774207 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007fd37e7758f8 in __GI_abort () at abort.c:90
#2  0x00007fd37ff2b98f in OpenSSLDie (file=file@entry=0x7fd38006dcd3 "md5_dgst.c", line=line@entry=82, 
    assertion=assertion@entry=0x7fd38006dcb0 "Digest MD5 forbidden in FIPS mode!") at cryptlib.c:1002
#3  0x00007fd37ff32209 in MD5_Init (c=c@entry=0x7fd3775578c0) at md5_dgst.c:82
#4  0x00007fd3805491bc in rad_pwdecode (
    passwd=passwd@entry=0x7fd377557a90 "\277!\211\020\324i\017m\215\346\v\352\037\375", <incomplete sequence \347>, pwlen=pwlen@entry=16, secret=secret@entry=0x557522ecbb80 "testing123", 
    vector=vector@entry=0x557522f94fa8 "\241\201\005[(\224\206^\200P\313\066\024\202Q!\241\201\005[")
    at src/lib/radius.c:4466
#5  0x00007fd38054a60a in data2vp (ctx=ctx@entry=0x557522f94f60, packet=packet@entry=0x557522f94f60, 
    original=original@entry=0x0, secret=secret@entry=0x557522ecbb80 "testing123", da=0x557522cf1940, 
    start=start@entry=0x557522f9509e "\277!\211\020\324i\017m\215\346\v\352\037\375", <incomplete sequence \347>, attrlen=16, packetlen=16, pvp=pvp@entry=0x7fd377557c78) at src/lib/radius.c:3721
#6  0x00007fd38054af5d in rad_attr2vp (ctx=ctx@entry=0x557522f94f60, 
    packet=packet@entry=0x557522f94f60, original=original@entry=0x0, 
    secret=secret@entry=0x557522ecbb80 "testing123", 
    data=data@entry=0x557522f9509c "\002\022\277!\211\020\324i\017m\215\346\v\352\037\375", <incomplete sequence \347>, length=length@entry=18, pvp=pvp@entry=0x7fd377557c78) at src/lib/radius.c:4144
#7  0x00007fd38054cf8f in rad_decode (packet=0x557522f94f60, original=0x0, 
    secret=0x557522ecbb80 "testing123") at src/lib/radius.c:4309
#8  0x0000557521c21868 in request_pre_handler (action=1, request=0x557522f95110)
    at src/main/process.c:1236
#9  request_running (request=0x557522f95110, action=<optimized out>) at src/main/process.c:1523
#10 0x0000557521c1a7bc in request_handler_thread (arg=0x557522f86790) at src/main/threads.c:698
#11 0x00007fd37ef8fdd5 in start_thread (arg=0x7fd377558700) at pthread_create.c:308
#12 0x00007fd37e83cb3d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113
(gdb) 

This looks like an openssl assertion.  In MD5_Init (#3), it's checking for FIPS mode and then dying.  Right at that line, there appears to be an env var OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW that is also checked, but I can't actually find any docs on it.  Probably best to check with openssl developers.
Comment 7 Alexander Bokovoy 2018-05-23 16:15:18 UTC 
This environmental variable is described in https://bugzilla.redhat.com/show_bug.cgi?id=673071
Comment 8 Alexander Bokovoy 2018-05-23 16:24:56 UTC 
I guess one possibility to avoid code modification is to add this variable to the systemd unit for radiusd.

I did that on the test system and while radiusd didn't fail, it rejected the request.

# /etc/systemd/system/radiusd.service.d/ipa-otp.conf
[Service]
Environment=OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW=1

[root@master ~]# systemctl daemon-reload
[root@master ~]# systemctl start radiusd

[root@master ~]# kinit -n
[root@master ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_dfgnkl1
Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS

Valid starting       Expires              Service principal
23.05.2018 12.20.36  24.05.2018 12.20.36  krbtgt/TESTRELM.TEST
[root@master ~]# kinit -T KEYRING:persistent:0:krb_ccache_dfgnkl1 radiususer
Enter OTP Token Value: 
kinit: Preauthentication failed while getting initial credentials
[root@master ~]# journalctl -f
-- Logs begin at ti 2018-05-22 06:42:11 EDT. --
touko 23 12:19:27 master.testrelm.test polkitd[1016]: Unregistered Authentication Agent for unix-process:13506:10663663 (system bus name :1.296, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
touko 23 12:20:01 master.testrelm.test systemd[1]: Started Session 95 of user root.
touko 23 12:20:01 master.testrelm.test systemd[1]: Starting Session 95 of user root.
touko 23 12:20:01 master.testrelm.test CROND[13529]: (root) CMD (test -f /var/lock/subsys/ods-enforcerd && kill -s SIGHUP `cat /var/run/opendnssec/enforcerd.pid` > /dev/null 2> /dev/null)
touko 23 12:21:03 master.testrelm.test ipa-otpd[13070]: radiususer: request received
touko 23 12:21:03 master.testrelm.test ipa-otpd[13070]: radiususer: user query start
touko 23 12:21:03 master.testrelm.test ipa-otpd[13070]: radiususer: user query end: uid=radiususer,cn=users,cn=accounts,dc=testrelm,dc=test
touko 23 12:21:03 master.testrelm.test ipa-otpd[13070]: radiususer: radius query start: cn=radiusproxy01,cn=radiusproxy,dc=testrelm,dc=test
touko 23 12:21:03 master.testrelm.test ipa-otpd[13070]: radiususer: radius query end: 127.0.0.1
touko 23 12:21:03 master.testrelm.test ipa-otpd[13070]: radiususer: forward start: radiususer / 127.0.0.1
touko 23 12:21:18 master.testrelm.test ipa-otpd[13070]: radiususer: forward end: Connection timed out
touko 23 12:21:18 master.testrelm.test ipa-otpd[13070]: radiususer: response sent: Access-Reject
^C
Comment 9 Alexander Bokovoy 2018-05-23 16:29:54 UTC 
Ok, this was misconfiguration on the radiusproxy side:

[root@master ~]# ipa radiusproxy-mod radiusproxy01 --secret
Secret: 
Enter Secret again to verify: 
--------------------------------------------
Modified RADIUS proxy server "radiusproxy01"
--------------------------------------------
  RADIUS proxy server name: radiusproxy01
  Server: 127.0.0.1
  Secret: SOME-SECRET-AS-DEFINED-in-clients.conf
[root@master ~]# kinit -T KEYRING:persistent:0:krb_ccache_dfgnkl1 radiususer
Enter OTP Token Value: 
[root@master ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_5sMKPvE
Default principal: radiususer

Valid starting       Expires              Service principal
23.05.2018 12.28.46  24.05.2018 12.28.43  krbtgt/TESTRELM.TEST
Comment 10 Alexander Bokovoy 2018-05-23 16:32:39 UTC 
So, basically, we need to document that for using FreeRADIUS with IPA in FIPS mode on the same IPA master, one needs to allow FreeRADIUS to use MD5 algorithm via following configuration sequence:

[root@master ~]# mkdir /etc/systemd/system/radiusd.service.d/
...
[root@master ~]# cat /etc/systemd/system/radiusd.service.d/ipa-otp.conf

# /etc/systemd/system/radiusd.service.d/ipa-otp.conf
[Service]
Environment=OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW=1

[root@master ~]# systemctl daemon-reload
[root@master ~]# systemctl start radiusd

Also, RADIUS proxy requires use of a common secret between the client and the server to wrap credentials. This secret must be specified in the configuration of the RADIUS proxy in IPA.
Comment 11 Alexander Bokovoy 2018-05-24 07:41:02 UTC 
Moving back to IPA. I added a known issue doc note and would like to get comment 10 added as a section in the official documentation. Setting need info for Filip.
Comment 14 Florence Blanc-Renaud 2018-05-31 14:24:52 UTC 
I am moving this BZ to a documentation bug as it does not require any work on the dev side but only a doc update.
Comment 15 Rob Crittenden 2018-07-27 19:05:54 UTC 
Unlinking upstream ticket.
Comment 28 Marc Muehlfeld 2019-04-09 10:31:54 UTC 
The update is now available on the Customer Portal.