Bug 2064823
| Summary: | SHA-1 no longer available for CMS digest during PKINIT [rhel-9.1.0] | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Trivino <ftrivino> |
| Component: | krb5 | Assignee: | Julien Rische <jrische> |
| Status: | CLOSED ERRATA | QA Contact: | Filip Dvorak <fdvorak> |
| Severity: | high | Docs Contact: | Filip Hanzelka <fhanzelk> |
| Priority: | high | ||
| Version: | 9.1 | CC: | abokovoy, dciabrin, fdvorak, fhanzelk, ftrivino, gfialova, jrische, jvilicic, lmiccini, michele, mpolovka, njohnston, pasik, pgm-rhel-tools, pmendezh, rcritten, spoore, ssorce, tscherf |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | krb5-1.19.1-15.el9 | Doc Type: | Known Issue |
| Doc Text: |
.The DEFAULT:SHA1 sub-policy has to be set on RHEL 9 clients for PKINIT to work against AD
The Active Directory (AD) Kerberos Distribution Center (KDC) supports different Cryptographic Message Syntax (CMS) signature algorithms than those supported by the MIT `krb5-pkinit` package that is used by RHEL 9 clients.
AD KDC currently supports:
* md5WithRSAEncryption
* sha1WithRSAEncryption
* ecdsa-with-sha1/256/384/512
MIT `krb5-pkinit` currently supports:
* sha256WithRSAEncryption
* sha512WithRSAEncryption
Consequently, RHEL 9 clients fail when authenticating a user against an AD KDC by using Public Key Cryptography for initial authentication (PKINIT).
To work around the problem, enable the deprecated `sha1WithRSAEncryption` algorithm on your RHEL 9 clients with the following command:
----
# update-crypto-polices --set DEFAULT:SHA1
----
As a result, PKINIT authentication works between the RHEL 9 Kerberos clients and AD KDC.
|
Story Points: | --- |
| Clone Of: | 2060798 | Environment: | |
| Last Closed: | 2022-11-15 11:11:42 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2060798, 2066316, 2066319, 2067121 | ||
| Bug Blocks: | 2057471, 2067971, 2124308, 2124310 | ||
|
Comment 5
Alexander Bokovoy
2022-03-17 19:01:47 UTC
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (krb5 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:8271 |