1076197 – please add support for rxkad-kdf for AFS tokens

Bug 1076197 - please add support for rxkad-kdf for AFS tokens

Summary: please add support for rxkad-kdf for AFS tokens

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	pam_krb5
Sub Component:
Version:	22
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	low
Target Milestone:	---
Assignee:	Robbie Harwood
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-03-13 18:33 UTC by Benjamin Kaduk
Modified:	2016-01-08 20:53 UTC (History)
CC List:	6 users (show)
Fixed In Version:	pam_krb5-2.4.12-1.fc23
Clone Of:
Environment:
Last Closed:	2016-01-08 20:53:18 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Benjamin Kaduk 2014-03-13 18:33:10 UTC

Description of problem:

pam_krb5 supports obtaining AFS tokens, but only supports tokens using the traditional 2b and rxk5 token formats, requiring a single-DES session key in the kerberos ticket.  Since many sites are trying to disable the use of single-DES for kerberos, a KDF algorithm has been specified for using kerberos session keys of other enctypes to produce fcrypt keys that can be used for AFS tokens.  This allows single-DES to be disabled at the KDC, although it does not change the fcrypt encryption used by AFS on the wire.  Having pam_krb5 support this new rxkad-kdf token scheme would make it easier for sites to disable the use of single-DES in kerberos.


Additional info:

This KDF scheme was originally published at http://lists.openafs.org/pipermail/afs3-standardization/2013-July/002738.html .  The same document is also available (under a different name/number) through the IETF tools, at http://tools.ietf.org/html/draft-kaduk-afs3-rxkad-k5-kdf-00 .
Single-DES is officially deprecated for use in Kerberos, per http://tools.ietf.org/html/rfc6649 .

Comment 1 Dmitri Pal 2014-03-14 17:43:48 UTC

I suspect you will have 0 success with pam_krb5 as this is a dying breed. I suggest you look at SSSD, open a similar ticket for it and contribute a feature.
Please start with opening and SSSD upstream ticket.

Comment 2 Jaroslav Reznik 2015-03-03 15:34:38 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle.
Changing version to '22'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22

Comment 3 Fedora Admin XMLRPC Client 2015-09-08 17:51:25 UTC

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 4 Nalin Dahyabhai 2016-01-05 15:19:29 UTC

I think this should work correctly in the just-tagged 2.4.12.

Comment 5 Fedora Update System 2016-01-06 16:25:30 UTC

pam_krb5-2.4.12-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-da1145ad41

Comment 6 Fedora Update System 2016-01-07 04:53:31 UTC

pam_krb5-2.4.12-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-da1145ad41

Comment 7 Fedora Update System 2016-01-08 20:53:14 UTC

pam_krb5-2.4.12-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.