Bug 1127995 – aggressive kinit timeout causes AS_REQ resent and subsequent OTP auth failure

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1127995 - aggressive kinit timeout causes AS_REQ resent and subsequent OTP auth failure

Summary:	aggressive kinit timeout causes AS_REQ resent and subsequent OTP auth failure

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	krb5 (Show other bugs)
Sub Component:
Version:	7.1
Hardware:	Unspecified Linux

Priority	unspecified Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	Nalin Dahyabhai
QA Contact:	Patrik Kis
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:	1127992
Blocks:
	Show dependency tree / graph

Reported:	2014-08-08 01:18 EDT by Fraser Tweedale
Modified:	2015-03-05 05:01 EST (History)
CC List:	6 users (show)

See Also:
Fixed In Version:	krb5-1.12.2-7.el7
Doc Type:	Rebase: Enhancements Only
Doc Text:	Important: if this rebase also contains bug fixes (or contains only bug fixes), select the correct option from the Doc Type drop-down list. Rebase package(s) to version: 1.12 Highlights and notable enhancements: When communicating with a KDC using a connected (TCP or HTTPS) socket, the client now gives the KDC more time to reply to the client's request before attempting to transmit the request to another server. In deployments where the KDC needs to contact a second server to complete its work, this can significantly reduce the number of unnecessary request retransmissions the client makes.
Story Points:	---
Clone Of:	1127992
Environment:
Last Closed:	2015-03-05 05:01:20 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0439	normal	SHIPPED_LIVE	Moderate: krb5 security, bug fix and enhancement update	2015-03-05 09:38:14 EST

Groups: None (edit)

Description Fraser Tweedale 2014-08-08 01:18:53 EDT

+++ This bug was initially created as a clone of Bug #1127992 +++

Description of problem:

When performing OTP authentication with `kinit', an aggressive timeout causes, with >50% likelihood (in my environment, YMMV), a second transmission of the AS_REQ request.

When using HOTP authentication, if a response to the second request (which necessarily fails) is received and processed ahead of the response to the first request, `kinit' fails (and the ticket in the successful response is discarded).


Version-Release number of selected component (if applicable):

krb5-workstation-1.11.5-10


How reproducible:

In my setup, resent occurs >50% of time, and failure occurs in the majority of these cases.


Steps to Reproduce:
1. Use `kinit' to perform a preauthenticated ticket request, using krb5-1.11.5. (I have mainly be using the FreeIPA web UI, since it take care of getting the armor cache).
2. Observe that, with high probability, multiple requests are received by KDC, and one of these fails when HOTP is used.  Example /var/log/krb5kdc.log:

Aug 08 00:12:38 ipa-2.ipa.local krb5kdc[28303](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.122.141: NEEDED_PREAUTH: HTTP/ipa-2.ipa.local@IPA.LOCAL for krbtgt/IPA.LOCAL@IPA.LOCAL, Additional pre-authentication required
Aug 08 00:12:39 ipa-2.ipa.local krb5kdc[28302](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.122.141: ISSUE: authtime 1407471159, etypes {rep=18 tkt=18 ses=18}, HTTP/ipa-2.ipa.local@IPA.LOCAL for krbtgt/IPA.LOCAL@IPA.LOCAL
Aug 08 00:12:39 ipa-2.ipa.local krb5kdc[28303](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.122.141: ISSUE: authtime 1407471159, etypes {rep=18 tkt=18 ses=18}, HTTP/ipa-2.ipa.local@IPA.LOCAL for krbtgt/IPA.LOCAL@IPA.LOCAL
Aug 08 00:12:39 ipa-2.ipa.local krb5kdc[28302](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.122.141: NEEDED_PREAUTH: bresc@IPA.LOCAL for krbtgt/IPA.LOCAL@IPA.LOCAL, Additional pre-authentication required
Aug 08 00:12:39 ipa-2.ipa.local krb5kdc[28303](info): closing down fd 13
Aug 08 00:12:40 ipa-2.ipa.local krb5kdc[28303](info): preauth (otp) verify failure: Generic preauthentication failure
Aug 08 00:12:40 ipa-2.ipa.local krb5kdc[28303](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.122.141: PREAUTH_FAILED: bresc@IPA.LOCAL for krbtgt/IPA.LOCAL@IPA.LOCAL, Preauthentication failed
Aug 08 00:12:41 ipa-2.ipa.local krb5kdc[28302](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.122.141: ISSUE: authtime 1407471159, etypes {rep=18 tkt=18 ses=18}, bresc@IPA.LOCAL for krbtgt/IPA.LOCAL@IPA.LOCAL
Aug 08 00:12:41 ipa-2.ipa.local krb5kdc[28303](info): closing down fd 13


Actual results:

Multiple preauthenticated AS_REQ requests from kinit to KDC, one of which fails due to HOTP token counter increment, causing authentication failure.  Occurs with high probability.

Expected results:

A single preauthenticated AS_REQ request from kinit to KDC (or more specifically, a reasonable timeout prior to retry).  Assuming correct credentials, client receives ticket.


Additional info:

Backport of krb5 commit f423c28 (Dynamically expand timeout when TCP connects) was undertaken, but did not resolve issue; the Fedora package patch that was used is attached.

Recent comment by Greg Hudson on the original upstream ticket may be relevant: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7604

This problem does not occur in krb5-1.12 on f21.

Comment 4 Patrik Kis 2015-02-02 06:14:14 EST

/CoreOS/krb5/Regression/bz922884-kinit-should-finish-when-the-tcp-socket-is-closed

OLD: krb5-1.11.3-49.el7
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: BZ#1127995:Dynamically expand timeout when TCP connects
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command '{ time -p echo Ar1€lKRBp@ss | kinit Ariel; } &>kinit.log' (Expected 1, got 1)
:: [   FAIL   ] :: The kinit timeout should be at least 20 seconds (Assert: "19" should be greater than "20")
:: [   LOG    ] :: Duration: 19s
:: [   LOG    ] :: Assertions: 1 good, 1 bad
:: [   FAIL   ] :: RESULT: BZ#1127995:Dynamically expand timeout when TCP connects


NEW: krb5-1.12.2-14.el7
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: BZ#1127995:Dynamically expand timeout when TCP connects
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command '{ time -p echo Ar1€lKRBp@ss | kinit Ariel; } &>kinit.log' (Expected 1, got 1)
:: [   PASS   ] :: The kinit timeout should be at least 20 seconds (Assert: "37" should be greater than "20")
:: [   LOG    ] :: Duration: 37s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: BZ#1127995:Dynamically expand timeout when TCP connects

Comment 6 errata-xmlrpc 2015-03-05 05:01:20 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0439.html

Note You need to log in before you can comment on or make changes to this bug.