1435606 – Add pkinit_indicator option to KDC configuration

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1435606 - Add pkinit_indicator option to KDC configuration

Summary: Add pkinit_indicator option to KDC configuration

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	Scott Poore
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1451225
TreeView+	depends on / blocked

Reported:	2017-03-24 11:09 UTC by Petr Vobornik
Modified:	2017-08-01 09:46 UTC (History)
CC List:	8 users (show)
Fixed In Version:	ipa-4.5.0-15.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1451225 (view as bug list)
Environment:
Last Closed:	2017-08-01 09:46:16 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:2304	0	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2017-08-01 12:41:35 UTC

Description Petr Vobornik 2017-03-24 11:09:06 UTC

Cloned from upstream: https://pagure.io/freeipa/issue/6736

To have a consistent default authentication indicator for pkinit even if no additional certauth plugins are used it would be good to add the 'pkinit_indicator' with a suitable identifier to kdc.conf during updates and fresh installations.

Comment 2 Petr Vobornik 2017-03-24 11:09:38 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/6736

Comment 6 Martin Babinsky 2017-06-05 16:36:25 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/e8a7e2e38ad7cea2964305247430e964d2b785b1
ipa-4-5:
https://pagure.io/freeipa/c/ca02cea8dfd63290e4821833fc2ac7d457290e9f

Comment 9 Scott Poore 2017-06-07 15:14:47 UTC

Petr,

How can I verify this?

Comment 10 Scott Poore 2017-06-07 18:52:26 UTC

I think I got a verification from Sumit earlier.  I'll use that. If I need to run anything else that I'm missing there, I can add that after.

Comment 11 Scott Poore 2017-06-07 18:53:58 UTC

Verified.

Version ::

ipa-server-4.5.0-15.el7.x86_64


Results ::


###############################
# First we'll confirm authentication indicators working for pkinit
# to do this we'll sanity check that using pkinit when otp is set fails:

# ON IPA Server:

[root@auto-hv-02-guest08 ~]# ipa host-mod dhcp129-184.clientdomain.com --auth-ind=otp
------------------------------------------
Modified host "dhcp129-184.clientdomain.com"
------------------------------------------
  Host name: dhcp129-184.clientdomain.com
  Principal name: host/dhcp129-184.clientdomain.com
  Principal alias: host/dhcp129-184.clientdomain.com
  SSH public key fingerprint: SHA256:+nkYOvnqTqC678NZmyeYil7MIo3iYhLoAyhqxjGGiAA (ssh-rsa),
                              SHA256:FnkmkVsK0C9wlD+FlRHB/kjr1Anq13b5i/Vo+9+1vFM (ecdsa-sha2-nistp256),
                              SHA256:Yef8MFj4wcuOM2/b5DQa8JxDPo2OX774h5s8aVE7oGk (ssh-ed25519)
  Authentication Indicators: otp
  Password: False
  Keytab: True
  Managed by: dhcp129-184.clientdomain.com

# On Client:

[root@dhcp129-184 ~]# su - demosc2
Last login: Wed Jun  7 12:03:32 MDT 2017 on pts/0

-sh-4.2$ su - demosc1
PIN for demosc1 (OpenSC Card)
su: Authentication failure

# Now we'll set auth-ind to pkinit and see it pass:

# ON IPA Server:

[root@auto-hv-02-guest08 ~]# ipa host-mod dhcp129-184.clientdomain.com --auth-ind=pkinit
------------------------------------------
Modified host "dhcp129-184.clientdomain.com"
------------------------------------------
  Host name: dhcp129-184.clientdomain.com
  Principal name: host/dhcp129-184.clientdomain.com
  Principal alias: host/dhcp129-184.clientdomain.com
  SSH public key fingerprint: SHA256:+nkYOvnqTqC678NZmyeYil7MIo3iYhLoAyhqxjGGiAA (ssh-rsa),
                              SHA256:FnkmkVsK0C9wlD+FlRHB/kjr1Anq13b5i/Vo+9+1vFM (ecdsa-sha2-nistp256),
                              SHA256:Yef8MFj4wcuOM2/b5DQa8JxDPo2OX774h5s8aVE7oGk (ssh-ed25519)
  Authentication Indicators: pkinit
  Password: False
  Keytab: True
  Managed by: dhcp129-184.clientdomain.com

# ON Client:

-sh-4.2$ su - demosc1
PIN for demosc1 (OpenSC Card)
Last login: Wed Jun  7 12:03:41 MDT 2017 on pts/0
Last failed login: Wed Jun  7 12:10:24 MDT 2017 on pts/0
There was 1 failed login attempt since the last successful login.

-sh-4.2$ whoami
demosc1

######################################
# Next we will confirm that with auth-ind=pkinit, we cannot login from a client not using pkinit:

# ON Client2, I install ipa client and comment out pkinit entries from krb5.conf just to be safe:

[realms]
  TESTRELM.TEST = {
#    pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
#    pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem


# Now I kinit as user and ssh to host with pkinit set for auth-ind:

[root@vm-idm-014 ~]# kinit demosc1
Password for demosc1: 
[root@vm-idm-014 ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: demosc1

Valid starting       Expires              Service principal
06/08/2017 00:13:23  06/09/2017 00:13:19  krbtgt/TESTRELM.TEST
[root@vm-idm-014 ~]# ssh -l demosc1 dhcp129-184.clientdomain.com
Password: 
Password: 
Password: 

# ^^ Note that it prompts for password and login fails ^^

# Now to confirm that I can login withouth pkinit I remove it from host auth-ind and try again:

[root@auto-hv-02-guest08 ~]# ipa host-mod dhcp129-184.clientdomain.com --auth-ind=''
------------------------------------------
Modified host "dhcp129-184.clientdomain.com"
------------------------------------------
  Host name: dhcp129-184.clientdomain.com
  Principal name: host/dhcp129-184.clientdomain.com
  Principal alias: host/dhcp129-184.clientdomain.com
  SSH public key fingerprint: SHA256:+nkYOvnqTqC678NZmyeYil7MIo3iYhLoAyhqxjGGiAA (ssh-rsa),
                              SHA256:FnkmkVsK0C9wlD+FlRHB/kjr1Anq13b5i/Vo+9+1vFM (ecdsa-sha2-nistp256),
                              SHA256:Yef8MFj4wcuOM2/b5DQa8JxDPo2OX774h5s8aVE7oGk (ssh-ed25519)
  Password: False
  Keytab: True
  Managed by: dhcp129-184.clientdomain.com

[root@vm-idm-014 ~]# ssh -l demosc1 dhcp129-184.clientdomain.com
Last failed login: Wed Jun  7 12:44:35 MDT 2017 from IPSCRUBBED on ssh:notty
There were 2 failed login attempts since the last successful login.
Last login: Wed Jun  7 12:10:49 2017

-sh-4.2$ exit
logout

Comment 12 Alexander Bokovoy 2017-06-07 19:01:38 UTC

To verify create a service, retrieve a keytab for it, set an indicator 'pkinit' on  the service and attempt to obtain a ticket to the service without and with PKINIT.

0. Kinit as admin without using PKINIT:

   kinit admin

1. ipa service-add foobar/`hostname`

2. ipa service-mod foobar/`hostname` --auth-ind=pkinit

3. ipa-getkeytab -p foobar/`hostname` -k ./foobar.keytab

4. Attempt to obtain the ticket to foobar/`hostname` as 'admin'
   KRB5_TRACE=/dev/stderr \
   kvno foobar/`hostname`

5. Now kinit with certificate:
   KRB5CCNAME=./cc.cache \
   KRB5_TRACE=/dev/stderr \
   kinit -X X509_user_identity=FILE:./someuser.crt,./someuserkey.pem someuser

6. Attempt to obtain ticket as user using a PKINIT-based ticket:
   KRB5CCNAME=./cc.cache \
   KRB5_TRACE=/dev/stderr \
   kvno foobar/`hostname`

In step (4) your operation should be denied with a message "KDC policy rejects request". In step (6) your operation should succeed and show KVNO of the foobar/`hostname`.

Comment 13 Alexander Bokovoy 2017-06-07 19:02:34 UTC

Thanks, Scott. I was finishing my verification steps by the time you posted an update. I included my steps as well to make sure they are documented.

Comment 14 Scott Poore 2017-06-07 20:29:07 UTC

Ok, I ran your method as well to cover that method as well:

[root@dhcp129-184 sssd]# kinit admin
Password for admin: 


[root@dhcp129-184 sssd]# ipa service-add foobar/`hostname`
---------------------------------------------------------------
Added service "foobar/dhcp129-184.clientdomain.com"
---------------------------------------------------------------
  Principal name: foobar/dhcp129-184.clientdomain.com
  Principal alias: foobar/dhcp129-184.clientdomain.com
  Managed by: dhcp129-184.clientdomain.com

[root@dhcp129-184 sssd]# ipa service-mod foobar/`hostname` --auth-ind=pkinit
------------------------------------------------------------------
Modified service "foobar/dhcp129-184.clientdomain.com"
------------------------------------------------------------------
  Principal name: foobar/dhcp129-184.clientdomain.com
  Principal alias: foobar/dhcp129-184.clientdomain.com
  Authentication Indicators: pkinit
  Managed by: dhcp129-184.clientdomain.com

[root@dhcp129-184 sssd]# ipa-getkeytab -p foobar/`hostname` -k ./foobar.keytab
Keytab successfully retrieved and stored in: ./foobar.keytab



[root@dhcp129-184 sssd]# KRB5_TRACE=/dev/stderr kvno foobar/`hostname`
...
kvno: KDC policy rejects request while getting credentials for foobar/dhcp129-184.clientdomain.com




[root@dhcp129-184 test]# KRB5CCNAME=./cc.cache KRB5_TRACE=/dev/stderr kinit -X X509_user_identity=FILE:./demosc1.crt,./demosc1.key demosc1
[10405] 1496867076.701623: Getting initial credentials for demosc1
[10405] 1496867076.701863: Sending request (177 bytes) to TESTRELM.TEST
[10405] 1496867076.702138: Initiating TCP connection to stream IPASERVER_IPSCRUBBED:88
[10405] 1496867076.722477: Sending TCP request to stream IPASERVER_IPSCRUBBED:88
[10405] 1496867076.744842: Received answer (307 bytes) from stream IPASERVER_IPSCRUBBED:88
[10405] 1496867076.744863: Terminating TCP connection to stream IPASERVER_IPSCRUBBED:88
[10405] 1496867076.744919: Response was from master KDC
[10405] 1496867076.745044: Received error from KDC: -1765328359/Additional pre-authentication required
[10405] 1496867076.745092: Processing preauth types: 16, 15, 14, 136, 19, 147, 2, 133
[10405] 1496867076.745117: Selected etype info: etype aes256-cts, salt "\u@&&a_Y&JO#noFf", params ""
[10405] 1496867076.745124: Received cookie: MIT
[10405] 1496867076.745327: Preauth module pkinit (147) (info) returned: 0/Success
[10405] 1496867076.746121: PKINIT client computed kdc-req-body checksum 9/55D4408C0BA71C9FEE06ECB447757D4DC5C1C632
[10405] 1496867076.746133: PKINIT client making DH request
[10405] 1496867076.766678: Preauth module pkinit (16) (real) returned: 0/Success
[10405] 1496867076.766698: Produced preauth for next request: 133, 16
[10405] 1496867076.766720: Sending request (4080 bytes) to TESTRELM.TEST
[10405] 1496867076.766778: Initiating TCP connection to stream IPASERVER_IPSCRUBBED:88
[10405] 1496867076.786925: Sending TCP request to stream IPASERVER_IPSCRUBBED:88
[10405] 1496867076.827660: Received answer (3493 bytes) from stream IPASERVER_IPSCRUBBED:88
[10405] 1496867076.827689: Terminating TCP connection to stream IPASERVER_IPSCRUBBED:88
[10405] 1496867076.827744: Response was from master KDC
[10405] 1496867076.827817: Processing preauth types: 17, 19
[10405] 1496867076.827828: Selected etype info: etype aes256-cts, salt "\u@&&a_Y&JO#noFf", params ""
[10405] 1496867076.828162: PKINIT client verified DH reply
[10405] 1496867076.828176: PKINIT client config accepts KDC dNSName SAN 
[10405] 1496867076.828189: PKINIT client found id-pkinit-san in KDC cert: krbtgt/TESTRELM.TEST
[10405] 1496867076.828196: PKINIT client matched KDC principal krbtgt/TESTRELM.TEST against id-pkinit-san; no EKU check required
[10405] 1496867076.834978: PKINIT client used KDF 2B06010502030602 to compute reply key aes256-cts/38EB
[10405] 1496867076.835002: Preauth module pkinit (17) (real) returned: 0/Success
[10405] 1496867076.835016: Produced preauth for next request: (empty)
[10405] 1496867076.835021: AS key determined by preauth: aes256-cts/38EB
[10405] 1496867076.835075: Decrypted AS reply; session key is: aes256-cts/CB62
[10405] 1496867076.835100: FAST negotiation: available
[10405] 1496867076.835121: Initializing FILE:./cc.cache with default princ demosc1
[10405] 1496867076.835314: Storing demosc1 -> krbtgt/TESTRELM.TEST in FILE:./cc.cache
[10405] 1496867076.835358: Storing config in FILE:./cc.cache for krbtgt/TESTRELM.TEST: fast_avail: yes
[10405] 1496867076.835385: Storing demosc1 -> krb5_ccache_conf_data/fast_avail/krbtgt\/TESTRELM.TEST\@TESTRELM.TEST@X-CACHECONF: in FILE:./cc.cache
[10405] 1496867076.835408: Storing config in FILE:./cc.cache for krbtgt/TESTRELM.TEST: pa_type: 16
[10405] 1496867076.835428: Storing demosc1 -> krb5_ccache_conf_data/pa_type/krbtgt\/TESTRELM.TEST\@TESTRELM.TEST@X-CACHECONF: in FILE:./cc.cache
[10405] 1496867076.835453: Storing config in FILE:./cc.cache for krbtgt/TESTRELM.TEST: pa_config_data: {"X509_user_identity":"FILE:./demosc1.crt,./demosc1.key"}
[10405] 1496867076.835473: Storing demosc1 -> krb5_ccache_conf_data/pa_config_data/krbtgt\/TESTRELM.TEST\@TESTRELM.TEST@X-CACHECONF: in FILE:./cc.cache






[root@dhcp129-184 test]#    KRB5CCNAME=./cc.cache    KRB5_TRACE=/dev/stderr    kvno foobar/`hostname`[10407] 1496867083.258804: Getting credentials demosc1 -> foobar/dhcp129-184.clientdomain.com using ccache FILE:./cc.cache
[10407] 1496867083.259167: Retrieving demosc1 -> foobar/dhcp129-184.clientdomain.com from FILE:./cc.cache with result: -1765328243/Matching credential not found (filename: ./cc.cache)
[10407] 1496867083.259434: Retrieving demosc1 -> krbtgt/TESTRELM.TEST from FILE:./cc.cache with result: 0/Success
[10407] 1496867083.259459: Starting with TGT for client realm: demosc1 -> krbtgt/TESTRELM.TEST
[10407] 1496867083.259475: Requesting tickets for foobar/dhcp129-184.clientdomain.com, referrals on
[10407] 1496867083.259555: Generated subkey for TGS request: aes256-cts/37F3
[10407] 1496867083.259644: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[10407] 1496867083.259854: Encoding request body and padata into FAST request
[10407] 1496867083.259974: Sending request (1710 bytes) to TESTRELM.TEST
[10407] 1496867083.260260: Initiating TCP connection to stream IPASERVER_IPSCRUBBED:88
[10407] 1496867083.280546: Sending TCP request to stream IPASERVER_IPSCRUBBED:88
[10407] 1496867083.303594: Received answer (1653 bytes) from stream IPASERVER_IPSCRUBBED:88
[10407] 1496867083.303622: Terminating TCP connection to stream IPASERVER_IPSCRUBBED:88
[10407] 1496867083.303678: Response was from master KDC
[10407] 1496867083.303746: Decoding FAST response
[10407] 1496867083.303834: FAST reply key: aes256-cts/CDEC
[10407] 1496867083.303866: TGS reply is for demosc1 -> foobar/dhcp129-184.clientdomain.com with session key aes256-cts/5328
[10407] 1496867083.303893: TGS request result: 0/Success
[10407] 1496867083.303900: Received creds for desired service foobar/dhcp129-184.clientdomain.com
[10407] 1496867083.303912: Storing demosc1 -> foobar/dhcp129-184.clientdomain.com in FILE:./cc.cache
foobar/dhcp129-184.clientdomain.com: kvno = 1

Comment 15 errata-xmlrpc 2017-08-01 09:46:16 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304

Note You need to log in before you can comment on or make changes to this bug.