1251586 – KDC sends multiple requests to ipa-otpd for the same authentication

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1251586 - KDC sends multiple requests to ipa-otpd for the same authentication

Summary: KDC sends multiple requests to ipa-otpd for the same authentication

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	krb5
Sub Component:
Version:	7.1
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Robbie Harwood
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1256870
TreeView+	depends on / blocked

Reported:	2015-08-07 19:57 UTC by Nathaniel McCallum
Modified:	2019-08-15 05:04 UTC (History)
CC List:	7 users (show)
Fixed In Version:	krb5-1.13.2-5.el7
Doc Type:	Bug Fix
Doc Text:	Previously, the RADIUS support (libkrad) in krb5 was sending krb5 authentication for Transmission Control Protocol (TCP) transports multiple times, accidentally using a code path intended to be used only for unreliable transport types, for example User Datagram Protocol (UDP) transports. A patch that fixes the problem by disabling manual retries for reliable transports, such as TCP, has been applied, and the correct code path is now used in this situation.
Clone Of:
Clones:	1256870 (view as bug list)
Environment:
Last Closed:	2015-11-19 05:14:19 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:2154	0	normal	SHIPPED_LIVE	Moderate: krb5 security, bug fix, and enhancement update	2015-11-19 08:16:22 UTC

Description Nathaniel McCallum 2015-08-07 19:57:39 UTC

The patch at the following link fixes the issue and has been submitted upstream.

https://github.com/krb5/krb5/pull/308

Comment 2 Namita Soman 2015-08-07 20:20:34 UTC

Pls add steps to verify

Comment 3 Nathaniel McCallum 2015-08-07 20:34:15 UTC

1. Clean install of IPA.
2. Log in as admin: kinit admin
3. Add a radius server record (ipa radiusproxy-add --server=localhost.localdomain --retries=0 foo).
4. DO NOT set up an actual radius server. We want the requests to time out.
5. Add a user: ipa user-add foo.
6. Set the user's password: ipa passwd foo
7. Configure user for radius: ipa user-mod foo --radius=foo --user-auth-type=radius
8. In another window, run: journalctl --follow
9. Authenticate as user foo.

In the journalctl window, you should see only one request processed by ipa-otpd rather than four.

Comment 4 Roland Mainz 2015-08-07 20:49:45 UTC

Taking bug myself and switching to "assigned" ...

Comment 5 Roland Mainz 2015-08-07 20:54:29 UTC

(In reply to Nathaniel McCallum from comment #0)
> The patch at the following link fixes the issue and has been submitted
> upstream.
> 
> https://github.com/krb5/krb5/pull/308

Sigh...
... npmccallum: Do you know any other places in krb5 territory which do a similar kind of retry for UDP which should not be used for reliable transports like TCP ?

Comment 6 Roland Mainz 2015-08-07 20:55:16 UTC

(In reply to Nathaniel McCallum from comment #0)
> The patch at the following link fixes the issue and has been submitted
> upstream.
> 
> https://github.com/krb5/krb5/pull/308

Patch OK, r=rmainz for https://github.com/krb5/krb5/commit/25e0656fdf9862faf9aa91288023776e9a47caad

Comment 7 Nathaniel McCallum 2015-08-07 21:28:38 UTC

No. This arose precisely because of the radius code as part of the OTP project.

Comment 8 Roland Mainz 2015-08-08 21:53:04 UTC

Patch checked-in (krb5-1.13.2-5.el7) ...

... marking bug as MODIFIED.

Comment 17 Xiyang Dong 2015-09-04 19:14:08 UTC

Verified based on Comment 3:
[root@ibm-x3650m4-01-vm-03 ~]# rpm -q krb5-server ipa-server
krb5-server-1.12.2-15.el7_1.x86_64
ipa-server-4.1.0-18.el7_1.4.x86_64

[root@ibm-x3650m4-01-vm-03 ~]# ipa radiusproxy-add --server=localhost.localdomain --retries=0 foo
Secret:
Enter Secret again to verify:
-------------------------------
Added RADIUS proxy server "foo"
-------------------------------
  RADIUS proxy server name: foo
  Server: localhost.localdomain
  Secret: MQ==
  Retries: 0
[root@ibm-x3650m4-01-vm-03 ~]# ipa user-add foo
First name: foo
Last name: foo
----------------
Added user "foo"
----------------
  User login: foo
  First name: foo
  Last name: foo
  Full name: foo foo
  Display name: foo foo
  Initials: ff
  Home directory: /home/foo
  GECOS: foo foo
  Login shell: /bin/sh
  Kerberos principal: foo
  Email address: foo
  UID: 1143400001
  GID: 1143400001
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
[root@ibm-x3650m4-01-vm-03 ~]# ipa passwd foo
New Password:
Enter New Password again to verify:
----------------------------------------
Changed password for "foo"
----------------------------------------
[root@ibm-x3650m4-01-vm-03 ~]# ipa user-mod foo --radius=foo --user-auth-type=radius
-------------------
Modified user "foo"
-------------------
  User login: foo
  First name: foo
  Last name: foo
  Home directory: /home/foo
  Login shell: /bin/sh
  Email address: foo
  UID: 1143400001
  GID: 1143400001
  Account disabled: False
  User authentication types: radius
  RADIUS proxy configuration: foo
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
[root@ibm-x3650m4-01-vm-03 ~]# journalctl --follow
.
.
.
Sep 04 15:11:36 ibm-x3650m4-01-vm-03.testrelm.test su[7271]: pam_unix(su:auth): authentication failure; logname=root uid=1143400005 euid=0 tty=...ser=foo
Sep 04 15:11:36 ibm-x3650m4-01-vm-03.testrelm.test ipa-otpd[7259]: foo: request received
Sep 04 15:11:36 ibm-x3650m4-01-vm-03.testrelm.test ipa-otpd[7259]: foo: user query start
Sep 04 15:11:36 ibm-x3650m4-01-vm-03.testrelm.test ipa-otpd[7259]: foo: user query end: uid=foo,cn=users,cn=accounts,dc=testrelm,dc=test
Sep 04 15:11:36 ibm-x3650m4-01-vm-03.testrelm.test ipa-otpd[7259]: foo: radius query start: cn=foo,cn=radiusproxy,dc=testrelm,dc=test
Sep 04 15:11:36 ibm-x3650m4-01-vm-03.testrelm.test ipa-otpd[7259]: foo: radius query end: localhost.localdomain
Sep 04 15:11:36 ibm-x3650m4-01-vm-03.testrelm.test ipa-otpd[7259]: foo: forward start: foo / localhost.localdomain
Sep 04 15:11:37 ibm-x3650m4-01-vm-03.testrelm.test NetworkManager[442]: <error> [1441393897.402594] [devices/nm-device.c:2303] activation_source...eduled
Sep 04 15:11:41 ibm-x3650m4-01-vm-03.testrelm.test [sssd[krb5_child[7272]]][7272]: Preauthentication failed
Sep 04 15:11:41 ibm-x3650m4-01-vm-03.testrelm.test [sssd[krb5_child[7272]]][7272]: Preauthentication failed
Sep 04 15:11:41 ibm-x3650m4-01-vm-03.testrelm.test su[7271]: pam_sss(su:auth): authentication failure; logname=root uid=1143400005 euid=0 tty=p...ser=foo
Sep 04 15:11:41 ibm-x3650m4-01-vm-03.testrelm.test su[7271]: pam_sss(su:auth): received for user foo: 17 (Failure setting user credentials)
Sep 04 15:11:43 ibm-x3650m4-01-vm-03.testrelm.test su[7271]: FAILED SU (to foo) root on pts/0
Sep 04 15:11:51 ibm-x3650m4-01-vm-03.testrelm.test ipa-otpd[7259]: foo: forward end: Connection timed out
Sep 04 15:11:51 ibm-x3650m4-01-vm-03.testrelm.test ipa-otpd[7259]: foo: response sent: Access-Reject
Sep 04 15:12:03 ibm-x3650m4-01-vm-03.testrelm.test NetworkManager[442]: <error> [1441393923.451953] [devices/nm-device.c:2303] activation_source...eduled

Comment 20 errata-xmlrpc 2015-11-19 05:14:19 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2154.html

Note You need to log in before you can comment on or make changes to this bug.