RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1127995 - aggressive kinit timeout causes AS_REQ resent and subsequent OTP auth failure
Summary: aggressive kinit timeout causes AS_REQ resent and subsequent OTP auth failure
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: krb5
Version: 7.1
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Nalin Dahyabhai
QA Contact: Patrik Kis
URL:
Whiteboard:
Depends On: 1127992
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-08-08 05:18 UTC by Fraser Tweedale
Modified: 2015-03-05 10:01 UTC (History)
6 users (show)

Fixed In Version: krb5-1.12.2-7.el7
Doc Type: Rebase: Enhancements Only
Doc Text:
Important: if this rebase also contains *bug fixes* (or contains only bug fixes), select the correct option from the Doc Type drop-down list. Rebase package(s) to version: 1.12 Highlights and notable enhancements: When communicating with a KDC using a connected (TCP or HTTPS) socket, the client now gives the KDC more time to reply to the client's request before attempting to transmit the request to another server. In deployments where the KDC needs to contact a second server to complete its work, this can significantly reduce the number of unnecessary request retransmissions the client makes.
Clone Of: 1127992
Environment:
Last Closed: 2015-03-05 10:01:20 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0439 0 normal SHIPPED_LIVE Moderate: krb5 security, bug fix and enhancement update 2015-03-05 14:38:14 UTC

Description Fraser Tweedale 2014-08-08 05:18:53 UTC 
+++ This bug was initially created as a clone of Bug #1127992 +++

Description of problem:

When performing OTP authentication with `kinit', an aggressive timeout causes, with >50% likelihood (in my environment, YMMV), a second transmission of the AS_REQ request.

When using HOTP authentication, if a response to the second request (which necessarily fails) is received and processed ahead of the response to the first request, `kinit' fails (and the ticket in the successful response is discarded).


Version-Release number of selected component (if applicable):

krb5-workstation-1.11.5-10


How reproducible:

In my setup, resent occurs >50% of time, and failure occurs in the majority of these cases.


Steps to Reproduce:
1. Use `kinit' to perform a preauthenticated ticket request, using krb5-1.11.5. (I have mainly be using the FreeIPA web UI, since it take care of getting the armor cache).
2. Observe that, with high probability, multiple requests are received by KDC, and one of these fails when HOTP is used.  Example /var/log/krb5kdc.log:

Aug 08 00:12:38 ipa-2.ipa.local krb5kdc[28303](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.122.141: NEEDED_PREAUTH: HTTP/ipa-2.ipa.local for krbtgt/IPA.LOCAL, Additional pre-authentication required
Aug 08 00:12:39 ipa-2.ipa.local krb5kdc[28302](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.122.141: ISSUE: authtime 1407471159, etypes {rep=18 tkt=18 ses=18}, HTTP/ipa-2.ipa.local for krbtgt/IPA.LOCAL
Aug 08 00:12:39 ipa-2.ipa.local krb5kdc[28303](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.122.141: ISSUE: authtime 1407471159, etypes {rep=18 tkt=18 ses=18}, HTTP/ipa-2.ipa.local for krbtgt/IPA.LOCAL
Aug 08 00:12:39 ipa-2.ipa.local krb5kdc[28302](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.122.141: NEEDED_PREAUTH: bresc for krbtgt/IPA.LOCAL, Additional pre-authentication required
Aug 08 00:12:39 ipa-2.ipa.local krb5kdc[28303](info): closing down fd 13
Aug 08 00:12:40 ipa-2.ipa.local krb5kdc[28303](info): preauth (otp) verify failure: Generic preauthentication failure
Aug 08 00:12:40 ipa-2.ipa.local krb5kdc[28303](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.122.141: PREAUTH_FAILED: bresc for krbtgt/IPA.LOCAL, Preauthentication failed
Aug 08 00:12:41 ipa-2.ipa.local krb5kdc[28302](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.122.141: ISSUE: authtime 1407471159, etypes {rep=18 tkt=18 ses=18}, bresc for krbtgt/IPA.LOCAL
Aug 08 00:12:41 ipa-2.ipa.local krb5kdc[28303](info): closing down fd 13


Actual results:

Multiple preauthenticated AS_REQ requests from kinit to KDC, one of which fails due to HOTP token counter increment, causing authentication failure.  Occurs with high probability.

Expected results:

A single preauthenticated AS_REQ request from kinit to KDC (or more specifically, a reasonable timeout prior to retry).  Assuming correct credentials, client receives ticket.


Additional info:

Backport of krb5 commit f423c28 (Dynamically expand timeout when TCP connects) was undertaken, but did not resolve issue; the Fedora package patch that was used is attached.

Recent comment by Greg Hudson on the original upstream ticket may be relevant: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7604

This problem does not occur in krb5-1.12 on f21.
Comment 4 Patrik Kis 2015-02-02 11:14:14 UTC 
/CoreOS/krb5/Regression/bz922884-kinit-should-finish-when-the-tcp-socket-is-closed

OLD: krb5-1.11.3-49.el7
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: BZ#1127995:Dynamically expand timeout when TCP connects
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command '{ time -p echo Ar1€lKRBp@ss | kinit Ariel; } &>kinit.log' (Expected 1, got 1)
:: [   FAIL   ] :: The kinit timeout should be at least 20 seconds (Assert: "19" should be greater than "20")
:: [   LOG    ] :: Duration: 19s
:: [   LOG    ] :: Assertions: 1 good, 1 bad
:: [   FAIL   ] :: RESULT: BZ#1127995:Dynamically expand timeout when TCP connects


NEW: krb5-1.12.2-14.el7
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: BZ#1127995:Dynamically expand timeout when TCP connects
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command '{ time -p echo Ar1€lKRBp@ss | kinit Ariel; } &>kinit.log' (Expected 1, got 1)
:: [   PASS   ] :: The kinit timeout should be at least 20 seconds (Assert: "37" should be greater than "20")
:: [   LOG    ] :: Duration: 37s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: BZ#1127995:Dynamically expand timeout when TCP connects
Comment 6 errata-xmlrpc 2015-03-05 10:01:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0439.html
Note You need to log in before you can comment on or make changes to this bug.