Bug 1127995 - aggressive kinit timeout causes AS_REQ resent and subsequent OTP auth failure
Summary: aggressive kinit timeout causes AS_REQ resent and subsequent OTP auth failure
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: krb5
Version: 7.1
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Nalin Dahyabhai
QA Contact: Patrik Kis
URL:
Whiteboard:
Depends On: 1127992
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-08-08 05:18 UTC by Fraser Tweedale
Modified: 2015-03-05 10:01 UTC (History)
6 users (show)

Fixed In Version: krb5-1.12.2-7.el7
Doc Type: Rebase: Enhancements Only
Doc Text:
Important: if this rebase also contains *bug fixes* (or contains only bug fixes), select the correct option from the Doc Type drop-down list. Rebase package(s) to version: 1.12 Highlights and notable enhancements: When communicating with a KDC using a connected (TCP or HTTPS) socket, the client now gives the KDC more time to reply to the client's request before attempting to transmit the request to another server. In deployments where the KDC needs to contact a second server to complete its work, this can significantly reduce the number of unnecessary request retransmissions the client makes.
Clone Of: 1127992
Environment:
Last Closed: 2015-03-05 10:01:20 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0439 normal SHIPPED_LIVE Moderate: krb5 security, bug fix and enhancement update 2015-03-05 14:38:14 UTC

Description Fraser Tweedale 2014-08-08 05:18:53 UTC
+++ This bug was initially created as a clone of Bug #1127992 +++

Description of problem:

When performing OTP authentication with `kinit', an aggressive timeout causes, with >50% likelihood (in my environment, YMMV), a second transmission of the AS_REQ request.

When using HOTP authentication, if a response to the second request (which necessarily fails) is received and processed ahead of the response to the first request, `kinit' fails (and the ticket in the successful response is discarded).


Version-Release number of selected component (if applicable):

krb5-workstation-1.11.5-10


How reproducible:

In my setup, resent occurs >50% of time, and failure occurs in the majority of these cases.


Steps to Reproduce:
1. Use `kinit' to perform a preauthenticated ticket request, using krb5-1.11.5. (I have mainly be using the FreeIPA web UI, since it take care of getting the armor cache).
2. Observe that, with high probability, multiple requests are received by KDC, and one of these fails when HOTP is used.  Example /var/log/krb5kdc.log:

Aug 08 00:12:38 ipa-2.ipa.local krb5kdc[28303](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.122.141: NEEDED_PREAUTH: HTTP/ipa-2.ipa.local@IPA.LOCAL for krbtgt/IPA.LOCAL@IPA.LOCAL, Additional pre-authentication required
Aug 08 00:12:39 ipa-2.ipa.local krb5kdc[28302](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.122.141: ISSUE: authtime 1407471159, etypes {rep=18 tkt=18 ses=18}, HTTP/ipa-2.ipa.local@IPA.LOCAL for krbtgt/IPA.LOCAL@IPA.LOCAL
Aug 08 00:12:39 ipa-2.ipa.local krb5kdc[28303](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.122.141: ISSUE: authtime 1407471159, etypes {rep=18 tkt=18 ses=18}, HTTP/ipa-2.ipa.local@IPA.LOCAL for krbtgt/IPA.LOCAL@IPA.LOCAL
Aug 08 00:12:39 ipa-2.ipa.local krb5kdc[28302](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.122.141: NEEDED_PREAUTH: bresc@IPA.LOCAL for krbtgt/IPA.LOCAL@IPA.LOCAL, Additional pre-authentication required
Aug 08 00:12:39 ipa-2.ipa.local krb5kdc[28303](info): closing down fd 13
Aug 08 00:12:40 ipa-2.ipa.local krb5kdc[28303](info): preauth (otp) verify failure: Generic preauthentication failure
Aug 08 00:12:40 ipa-2.ipa.local krb5kdc[28303](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.122.141: PREAUTH_FAILED: bresc@IPA.LOCAL for krbtgt/IPA.LOCAL@IPA.LOCAL, Preauthentication failed
Aug 08 00:12:41 ipa-2.ipa.local krb5kdc[28302](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.122.141: ISSUE: authtime 1407471159, etypes {rep=18 tkt=18 ses=18}, bresc@IPA.LOCAL for krbtgt/IPA.LOCAL@IPA.LOCAL
Aug 08 00:12:41 ipa-2.ipa.local krb5kdc[28303](info): closing down fd 13


Actual results:

Multiple preauthenticated AS_REQ requests from kinit to KDC, one of which fails due to HOTP token counter increment, causing authentication failure.  Occurs with high probability.

Expected results:

A single preauthenticated AS_REQ request from kinit to KDC (or more specifically, a reasonable timeout prior to retry).  Assuming correct credentials, client receives ticket.


Additional info:

Backport of krb5 commit f423c28 (Dynamically expand timeout when TCP connects) was undertaken, but did not resolve issue; the Fedora package patch that was used is attached.

Recent comment by Greg Hudson on the original upstream ticket may be relevant: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7604

This problem does not occur in krb5-1.12 on f21.

Comment 4 Patrik Kis 2015-02-02 11:14:14 UTC
/CoreOS/krb5/Regression/bz922884-kinit-should-finish-when-the-tcp-socket-is-closed

OLD: krb5-1.11.3-49.el7
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: BZ#1127995:Dynamically expand timeout when TCP connects
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command '{ time -p echo Ar1€lKRBp@ss | kinit Ariel; } &>kinit.log' (Expected 1, got 1)
:: [   FAIL   ] :: The kinit timeout should be at least 20 seconds (Assert: "19" should be greater than "20")
:: [   LOG    ] :: Duration: 19s
:: [   LOG    ] :: Assertions: 1 good, 1 bad
:: [   FAIL   ] :: RESULT: BZ#1127995:Dynamically expand timeout when TCP connects


NEW: krb5-1.12.2-14.el7
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: BZ#1127995:Dynamically expand timeout when TCP connects
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command '{ time -p echo Ar1€lKRBp@ss | kinit Ariel; } &>kinit.log' (Expected 1, got 1)
:: [   PASS   ] :: The kinit timeout should be at least 20 seconds (Assert: "37" should be greater than "20")
:: [   LOG    ] :: Duration: 37s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: BZ#1127995:Dynamically expand timeout when TCP connects

Comment 6 errata-xmlrpc 2015-03-05 10:01:20 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0439.html


Note You need to log in before you can comment on or make changes to this bug.