RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1431589 - Libvirt needs to enforce a stronger SSF value for GSSAPI w/ Kerberos.
Summary: Libvirt needs to enforce a stronger SSF value for GSSAPI w/ Kerberos.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: libvirt
Version: 9.0
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: 9.0
Assignee: Ján Tomko
QA Contact: Lili Zhu
URL:
Whiteboard:
Depends On: rhel75-cyrus-sasl-kerberos
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-03-13 11:36 UTC by Daniel Berrangé
Modified: 2022-05-17 13:01 UTC (History)
13 users (show)

Fixed In Version: libvirt-7.10.0-1.el9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-05-17 12:45:05 UTC
Type: Bug
Target Upstream Version: 7.10.0
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:2390 0 None None None 2022-05-17 12:45:31 UTC

Description Daniel Berrangé 2017-03-13 11:36:00 UTC 
Description of problem:
Currently when libvirt configures SASL on the non-TLS socket, it requests a min_ssf value of 56 to enable session encryption. This is equivalent to requesting single-DES which is totally broken by modern cryptographic standards. 

To provide an adequate modern security level Libvirt needs to ensure GSSAPI/Kerberos is at least using triple-DES, which would correspond to a min_ssf value of 112.

Unfortunately setting SSF values larger than 56 is currently meaningless since cyrus-sasl performs its calculations against a hardcoded SSF value, rather than actually querying the underlying Kerberos session properties. Once this cyrus-sasl bug is fixed though, libvirt should be able to mandate stronger SSF

https://bugzilla.redhat.com/show_bug.cgi?id=1431586

Technically administrators can configure the Kerberos encryption strength by choosing particular ciphers in /etc/krb5.conf, however, this applies system wide. Since many apps use Keberberos over a TLS connection, they may be willing to allow somewhere lower strength ciphers than would be applicable for libvirt when using Kerberos for session encryption without TLS. So there is benefit to libvirt being able to enforce stronger SSF values.

Before we make any changes, we need cyrus_sasl fixed to correctly calculate & check SSF values (https://bugzilla.redhat.com/show_bug.cgi?id=1431586) Once that's done we can 

 - Warn if we see SSF < 112
 - After ~1 year, increase min SSF to 112 as a mandatory change
 - Add a tcp_min_ssf to /etc/libvirt/libvirtd.conf to allow admins to request a SSF greater than 112 (never allow config to set < 112)
Comment 5 RHEL Program Management 2021-01-15 07:32:46 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.
Comment 8 RHEL Program Management 2021-07-31 07:27:14 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.
Comment 9 Ján Tomko 2021-11-03 13:11:14 UTC 
Upstream patches:
https://listman.redhat.com/archives/libvir-list/2021-November/msg00120.html
Comment 11 Ján Tomko 2021-11-04 16:06:15 UTC 
Pushed upstream as:
commit 58a48cff840d623822eaf34c4a08cb364cc26f2f
Author:     Ján Tomko <jtomko>
CommitDate: 2021-11-04 17:02:56 +0100

    daemon: add tcp_min_ssf option
    
    Add an option to allow the admin to requet a higher minimum SSF
    for connections than the built-in default.
    
    The current default is 56 (single DES equivalent, to support
    old kerberos) and will be raised to 112 in the future.
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1431589
    
    Signed-off-by: Ján Tomko <jtomko>
    Reviewed-by: Michal Privoznik <mprivozn>

git describe: v7.9.0-56-g58a48cff84
Comment 12 Lili Zhu 2021-12-13 04:46:20 UTC 
Tested with libvirt-7.10.0-1.el9.x86_64:

1. configure virtproxyd.conf
# cat /etc/libvirt/virtproxyd.conf
tcp_min_ssf = 56

2. restart virtproxyd
# systemctl restart virtproxyd
Job for virtproxyd.service failed because the control process exited with error code.
See "systemctl status virtproxyd.service" and "journalctl -xeu virtproxyd.service" for details.

3. check the log
...
 error : main:925 : Can't load config file: unsupported configuration: minimum SSF levels lower than 112 are not supported: /etc/libvirt/virtproxyd.conf
...
Comment 13 Lili Zhu 2021-12-13 04:58:42 UTC 
1. The krb5.conf are configured as follows:

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 allow_weak_crypto = true
 default_realm = LAB.ENG.PEK2.REDHAT.COM

[realms]
 LAB.ENG.PEK2.REDHAT.COM = {
     kdc = kdc.lab.eng.pek2.redhat.com:88
     admin_server = kdc.lab.eng.pek2.redhat.com:749
 }

[domain_realm]
 .lab.eng.pek2.redhat.com = LAB.ENG.PEK2.REDHAT.COM
 lab.eng.pek2.redhat.com = LAB.ENG.PEK2.REDHAT.COM

2. Then I set the encryption type of the principle to single-des:
kadmin.local:  getprinc root/admin
Principal: root/admin.PEK2.REDHAT.COM
Expiration date: [never]
Last password change: Mon Dec 13 11:35:13 CST 2021
Password expiration date: [never]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Mon Dec 13 11:35:13 CST 2021 (root/admin.PEK2.REDHAT.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 1, des-cbc-md5
MKey: vno 1
Attributes:
Policy: [none]

3. Then I tried to connect to the kdc on RHEL9
# rpm -qa |grep krb5
krb5-libs-1.19.1-12.el9.x86_64
krb5-pkinit-1.19.1-12.el9.x86_64
krb5-server-1.19.1-12.el9.x86_64
krb5-workstation-1.19.1-12.el9.x86_64

# kadmin
Authenticating as principal root/admin.PEK2.REDHAT.COM with password.
kadmin: KDC has no support for encryption type while initializing kadmin interface

I can not connect to kdc, but I can make it on REHL7

Hi, Jan

I want the ssf on kdc is less than 112 to trigger the warning. But I can not connect to kdc under the above configuration.
Am I on the right the direction? Please help to take a look. Thanks
Comment 14 Lili Zhu 2021-12-13 06:13:20 UTC 
Hi, Jan

I checked the doc again:
https://web.mit.edu/kerberos/www/krb5-latest/doc/admin/enctypes.html
It is said "krb5 releases 1.18 and later do not support single-DES".
Please help on how to trigger the warning. Thanks
Comment 18 Ján Tomko 2021-12-13 16:34:56 UTC 
Oops, I don't think it can be easily tested if krb5-libs no longer supports it.
The good thing is that if it's unsupported by that package, people are less
likely to be using it.

If I remember correctly, back when I tried the patches, I cheated by using
a version of the daemon with a higher hardcoded value.
Comment 19 Lili Zhu 2021-12-29 09:27:19 UTC 
Verify this bug with:
libvirt-7.10.0-1.el9.x86_64

1. configure virtproxyd.conf
# cat /etc/libvirt/virtproxyd.conf
tcp_min_ssf = 56

2. restart virtproxyd
# systemctl restart virtproxyd
Job for virtproxyd.service failed because the control process exited with error code.
See "systemctl status virtproxyd.service" and "journalctl -xeu virtproxyd.service" for details.

3. check the log
...
 error : main:925 : Can't load config file: unsupported configuration: minimum SSF levels lower than 112 are not supported: /etc/libvirt/virtproxyd.conf
...

4. set the tcp_min_ssf value to 256
tcp_min_ssf = 256

5. restart virtproxyd
# systemctl restart virtproxyd

# echo $?
0

As the testing result matches with the expected result, mark the bug as verified.
Comment 21 errata-xmlrpc 2022-05-17 12:45:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: libvirt), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2390
Note You need to log in before you can comment on or make changes to this bug.