Bug 2187722

Summary: PKINIT module initialization fails if a well-known MODP group cannot be loaded [rhel-9]
Product: Red Hat Enterprise Linux 9 Reporter: Filip Dvorak <fdvorak>
Component: krb5Assignee: Julien Rische <jrische>
Status: CLOSED ERRATA QA Contact: Michal Polovka <mpolovka>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 9.2CC: abokovoy, cllang, dbelyavs, frenaud, ftrivino, hkario, jrische, mjurasek
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: krb5-1.21.1-1.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 2209715 2214297 (view as bug list) Environment:
Last Closed: 2023-11-07 08:56:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2144442, 2209715, 2214297    

Description Filip Dvorak 2023-04-18 14:26:40 UTC 
Description of problem:
PKINIT preauth stopped to work (MIT krb5 KDC do not send a pA-PK-AS-REQ message in KRB5KDC_ERR_PREAUTH_REQUIRED) with the openssl-libs-3.0.7-9.el9_2 and newer in FIPS mode on RHEL9.2.

Version-Release number of selected component (if applicable):
RHEL9.2
krb5-server-1.20.1-8.el9.x86_64
openssl-libs-3.0.7-12.el9_2.x86_64


How reproducible:
always

Steps to Reproduce:
1. Set up PKINIT and generate certs (used certificates and generating script were attached)

kdc.conf (conf file was attached)
- add the pkinit options into kdc.conf
 pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
 pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem,/var/kerberos/krb5kdc/kdckey.pem
- supported_enctypes = aes256-cts-hmac-sha384-192:normal aes128-cts-hmac-sha256-128:normal

- create user alice with "REQUIRES_PRE_AUTH" attribute

krb5.conf (conf file was attached)
- add pkinit options into krb.conf
  pkinit_anchors = FILE:/etc/krb5/cacert.pem
  pkinit_identities = FILE:/etc/krb5/alice.pem,/etc/krb5/alicekey.pem

-fips-mode-setup --enable
- update-crypto-policies --set FIPS

Actual results:
# kinit alice
[68340] 1681826975.764972: Matching alice.COM in collection with result: 0/Success
[68340] 1681826975.764973: Getting initial credentials for alice.COM
[68340] 1681826975.764975: Sending unauthenticated request
[68340] 1681826975.764976: Sending request (192 bytes) to TEST.REDHAT.COM
[68340] 1681826975.764977: Resolving hostname xx
[68340] 1681826975.764978: Sending initial UDP request to dgram xx:88
[68340] 1681826975.764979: Received answer (249 bytes) from dgram xx:88
[68340] 1681826975.764980: Sending DNS URI query for _kerberos.TEST.REDHAT.COM.
[68340] 1681826975.764981: No URI records found
[68340] 1681826975.764982: Sending DNS SRV query for _kerberos-master._udp.TEST.REDHAT.COM.
[68340] 1681826975.764983: Sending DNS SRV query for _kerberos-master._tcp.TEST.REDHAT.COM.
[68340] 1681826975.764984: No SRV records found
[68340] 1681826975.764985: Response was not from primary KDC
[68340] 1681826975.764986: Received error from KDC: -1765328359/Additional pre-authentication required
[68340] 1681826975.764989: Preauthenticating using KDC method data
[68340] 1681826975.764990: Processing preauth types: PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2), PA-FX-COOKIE (133)
[68340] 1681826975.764991: Selected etype info: etype aes256-sha2, salt "TEST.REDHAT.COMalice", params ""
[68340] 1681826975.764992: Received cookie: MIT
Password for alice.COM:
...

Expected results:
# kinit alice
# klist 
Ticket cache: KCM:0
Default principal: alice.COM

Valid starting     Expires            Service principal
04/18/23 10:10:40  04/19/23 10:10:40  krbtgt/TEST.REDHAT.COM.COM
	renew until 04/18/23 10:10:40

Additional info:
- the same scenario (the same certificates + settings) passed with openssl-libs-3.0.7-6.el9_2.x86_64
- nonFIPS scenario works
Comment 3 Alexander Bokovoy 2023-04-18 14:38:24 UTC 
Can you add a systemd snippet to krb5kdc.service that sets KRB5_TRACE for the krb5kdc process and then collect the trace there? If KDC does not respond with PKINIT pre-auth types, client will not see them, obviously, so we need to understand what happens to pkinit KDC plugin code.
Comment 31 Julien Rische 2023-05-23 16:28:18 UTC 
This downstream merge request is fixing the issue on the OpenSSL side by re-enabling DHX key type:
https://gitlab.com/redhat/centos-stream/rpms/openssl/-/merge_requests/109

However, it will not be possible to load groups that are not considered well-known by OpenSSL. This is the case of group 2.

I opened a krb5 upstream pull requests to allow the PKINIT plugin to be loaded if at least one of groups 2, 14, or 16 is available:
https://github.com/krb5/krb5/pull/1303
Comment 41 Michal Polovka 2023-06-22 10:29:46 UTC 
Verified using automation from bash-sanity-pkinit-sanity and krb5-server-works-with-AD-server in FIPS mode with krb5-server-1.20.1-9.el9_2.x86_64

::   Duration: 314s
::   Phases: 24 good, 0 bad
::   OVERALL RESULT: PASS (/CoreOS/krb5/Sanity/pkinit-sanity)
https://idm-artifacts.psi.redhat.com/idm-ci/idm-ci/trigger/prod/trigger/run/null/2885/



::   Duration: 137s
::   Phases: 10 good, 0 bad
::   OVERALL RESULT: PASS (/CoreOS/krb5/Sanity/krb5-server-works-with-AD-server)
https://idm-artifacts.psi.redhat.com/idm-ci/idm-ci/trigger/prod/trigger/run/null/2883/

Marking as verified. Complete test log is an attachment of this BZ. Also marking as pre-verified tested, as this version has been preverified in 9.2z and 9.3 just inherited this build.
Comment 52 errata-xmlrpc 2023-11-07 08:56:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: krb5 security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:6699