Bug 1435606 - Add pkinit_indicator option to KDC configuration
Summary: Add pkinit_indicator option to KDC configuration
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Scott Poore
URL:
Whiteboard:
Depends On:
Blocks: 1451225
TreeView+ depends on / blocked
 
Reported: 2017-03-24 11:09 UTC by Petr Vobornik
Modified: 2017-08-01 09:46 UTC (History)
8 users (show)

Fixed In Version: ipa-4.5.0-15.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1451225 (view as bug list)
Environment:
Last Closed: 2017-08-01 09:46:16 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Petr Vobornik 2017-03-24 11:09:06 UTC
Cloned from upstream: https://pagure.io/freeipa/issue/6736

To have a consistent default authentication indicator for pkinit even if no additional certauth plugins are used it would be good to add the 'pkinit_indicator' with a suitable identifier to kdc.conf during updates and fresh installations.

Comment 2 Petr Vobornik 2017-03-24 11:09:38 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/6736

Comment 9 Scott Poore 2017-06-07 15:14:47 UTC
Petr,

How can I verify this?

Comment 10 Scott Poore 2017-06-07 18:52:26 UTC
I think I got a verification from Sumit earlier.  I'll use that. If I need to run anything else that I'm missing there, I can add that after.

Comment 11 Scott Poore 2017-06-07 18:53:58 UTC
Verified.

Version ::

ipa-server-4.5.0-15.el7.x86_64


Results ::


###############################
# First we'll confirm authentication indicators working for pkinit
# to do this we'll sanity check that using pkinit when otp is set fails:

# ON IPA Server:

[root@auto-hv-02-guest08 ~]# ipa host-mod dhcp129-184.clientdomain.com --auth-ind=otp
------------------------------------------
Modified host "dhcp129-184.clientdomain.com"
------------------------------------------
  Host name: dhcp129-184.clientdomain.com
  Principal name: host/dhcp129-184.clientdomain.com@TESTRELM.TEST
  Principal alias: host/dhcp129-184.clientdomain.com@TESTRELM.TEST
  SSH public key fingerprint: SHA256:+nkYOvnqTqC678NZmyeYil7MIo3iYhLoAyhqxjGGiAA (ssh-rsa),
                              SHA256:FnkmkVsK0C9wlD+FlRHB/kjr1Anq13b5i/Vo+9+1vFM (ecdsa-sha2-nistp256),
                              SHA256:Yef8MFj4wcuOM2/b5DQa8JxDPo2OX774h5s8aVE7oGk (ssh-ed25519)
  Authentication Indicators: otp
  Password: False
  Keytab: True
  Managed by: dhcp129-184.clientdomain.com

# On Client:

[root@dhcp129-184 ~]# su - demosc2
Last login: Wed Jun  7 12:03:32 MDT 2017 on pts/0

-sh-4.2$ su - demosc1
PIN for demosc1 (OpenSC Card)
su: Authentication failure

# Now we'll set auth-ind to pkinit and see it pass:

# ON IPA Server:

[root@auto-hv-02-guest08 ~]# ipa host-mod dhcp129-184.clientdomain.com --auth-ind=pkinit
------------------------------------------
Modified host "dhcp129-184.clientdomain.com"
------------------------------------------
  Host name: dhcp129-184.clientdomain.com
  Principal name: host/dhcp129-184.clientdomain.com@TESTRELM.TEST
  Principal alias: host/dhcp129-184.clientdomain.com@TESTRELM.TEST
  SSH public key fingerprint: SHA256:+nkYOvnqTqC678NZmyeYil7MIo3iYhLoAyhqxjGGiAA (ssh-rsa),
                              SHA256:FnkmkVsK0C9wlD+FlRHB/kjr1Anq13b5i/Vo+9+1vFM (ecdsa-sha2-nistp256),
                              SHA256:Yef8MFj4wcuOM2/b5DQa8JxDPo2OX774h5s8aVE7oGk (ssh-ed25519)
  Authentication Indicators: pkinit
  Password: False
  Keytab: True
  Managed by: dhcp129-184.clientdomain.com

# ON Client:

-sh-4.2$ su - demosc1
PIN for demosc1 (OpenSC Card)
Last login: Wed Jun  7 12:03:41 MDT 2017 on pts/0
Last failed login: Wed Jun  7 12:10:24 MDT 2017 on pts/0
There was 1 failed login attempt since the last successful login.

-sh-4.2$ whoami
demosc1

######################################
# Next we will confirm that with auth-ind=pkinit, we cannot login from a client not using pkinit:

# ON Client2, I install ipa client and comment out pkinit entries from krb5.conf just to be safe:

[realms]
  TESTRELM.TEST = {
#    pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
#    pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem


# Now I kinit as user and ssh to host with pkinit set for auth-ind:

[root@vm-idm-014 ~]# kinit demosc1
Password for demosc1@TESTRELM.TEST: 
[root@vm-idm-014 ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: demosc1@TESTRELM.TEST

Valid starting       Expires              Service principal
06/08/2017 00:13:23  06/09/2017 00:13:19  krbtgt/TESTRELM.TEST@TESTRELM.TEST
[root@vm-idm-014 ~]# ssh -l demosc1 dhcp129-184.clientdomain.com
Password: 
Password: 
Password: 

# ^^ Note that it prompts for password and login fails ^^

# Now to confirm that I can login withouth pkinit I remove it from host auth-ind and try again:

[root@auto-hv-02-guest08 ~]# ipa host-mod dhcp129-184.clientdomain.com --auth-ind=''
------------------------------------------
Modified host "dhcp129-184.clientdomain.com"
------------------------------------------
  Host name: dhcp129-184.clientdomain.com
  Principal name: host/dhcp129-184.clientdomain.com@TESTRELM.TEST
  Principal alias: host/dhcp129-184.clientdomain.com@TESTRELM.TEST
  SSH public key fingerprint: SHA256:+nkYOvnqTqC678NZmyeYil7MIo3iYhLoAyhqxjGGiAA (ssh-rsa),
                              SHA256:FnkmkVsK0C9wlD+FlRHB/kjr1Anq13b5i/Vo+9+1vFM (ecdsa-sha2-nistp256),
                              SHA256:Yef8MFj4wcuOM2/b5DQa8JxDPo2OX774h5s8aVE7oGk (ssh-ed25519)
  Password: False
  Keytab: True
  Managed by: dhcp129-184.clientdomain.com

[root@vm-idm-014 ~]# ssh -l demosc1 dhcp129-184.clientdomain.com
Last failed login: Wed Jun  7 12:44:35 MDT 2017 from IPSCRUBBED on ssh:notty
There were 2 failed login attempts since the last successful login.
Last login: Wed Jun  7 12:10:49 2017

-sh-4.2$ exit
logout

Comment 12 Alexander Bokovoy 2017-06-07 19:01:38 UTC
To verify create a service, retrieve a keytab for it, set an indicator 'pkinit' on  the service and attempt to obtain a ticket to the service without and with PKINIT.

0. Kinit as admin without using PKINIT:

   kinit admin

1. ipa service-add foobar/`hostname`

2. ipa service-mod foobar/`hostname` --auth-ind=pkinit

3. ipa-getkeytab -p foobar/`hostname` -k ./foobar.keytab

4. Attempt to obtain the ticket to foobar/`hostname` as 'admin'
   KRB5_TRACE=/dev/stderr \
   kvno foobar/`hostname`

5. Now kinit with certificate:
   KRB5CCNAME=./cc.cache \
   KRB5_TRACE=/dev/stderr \
   kinit -X X509_user_identity=FILE:./someuser.crt,./someuserkey.pem someuser

6. Attempt to obtain ticket as user using a PKINIT-based ticket:
   KRB5CCNAME=./cc.cache \
   KRB5_TRACE=/dev/stderr \
   kvno foobar/`hostname`

In step (4) your operation should be denied with a message "KDC policy rejects request". In step (6) your operation should succeed and show KVNO of the foobar/`hostname`.

Comment 13 Alexander Bokovoy 2017-06-07 19:02:34 UTC
Thanks, Scott. I was finishing my verification steps by the time you posted an update. I included my steps as well to make sure they are documented.

Comment 14 Scott Poore 2017-06-07 20:29:07 UTC
Ok, I ran your method as well to cover that method as well:

[root@dhcp129-184 sssd]# kinit admin
Password for admin@TESTRELM.TEST: 


[root@dhcp129-184 sssd]# ipa service-add foobar/`hostname`
---------------------------------------------------------------
Added service "foobar/dhcp129-184.clientdomain.com@TESTRELM.TEST"
---------------------------------------------------------------
  Principal name: foobar/dhcp129-184.clientdomain.com@TESTRELM.TEST
  Principal alias: foobar/dhcp129-184.clientdomain.com@TESTRELM.TEST
  Managed by: dhcp129-184.clientdomain.com

[root@dhcp129-184 sssd]# ipa service-mod foobar/`hostname` --auth-ind=pkinit
------------------------------------------------------------------
Modified service "foobar/dhcp129-184.clientdomain.com@TESTRELM.TEST"
------------------------------------------------------------------
  Principal name: foobar/dhcp129-184.clientdomain.com@TESTRELM.TEST
  Principal alias: foobar/dhcp129-184.clientdomain.com@TESTRELM.TEST
  Authentication Indicators: pkinit
  Managed by: dhcp129-184.clientdomain.com

[root@dhcp129-184 sssd]# ipa-getkeytab -p foobar/`hostname` -k ./foobar.keytab
Keytab successfully retrieved and stored in: ./foobar.keytab



[root@dhcp129-184 sssd]# KRB5_TRACE=/dev/stderr kvno foobar/`hostname`
...
kvno: KDC policy rejects request while getting credentials for foobar/dhcp129-184.clientdomain.com@TESTRELM.TEST




[root@dhcp129-184 test]# KRB5CCNAME=./cc.cache KRB5_TRACE=/dev/stderr kinit -X X509_user_identity=FILE:./demosc1.crt,./demosc1.key demosc1
[10405] 1496867076.701623: Getting initial credentials for demosc1@TESTRELM.TEST
[10405] 1496867076.701863: Sending request (177 bytes) to TESTRELM.TEST
[10405] 1496867076.702138: Initiating TCP connection to stream IPASERVER_IPSCRUBBED:88
[10405] 1496867076.722477: Sending TCP request to stream IPASERVER_IPSCRUBBED:88
[10405] 1496867076.744842: Received answer (307 bytes) from stream IPASERVER_IPSCRUBBED:88
[10405] 1496867076.744863: Terminating TCP connection to stream IPASERVER_IPSCRUBBED:88
[10405] 1496867076.744919: Response was from master KDC
[10405] 1496867076.745044: Received error from KDC: -1765328359/Additional pre-authentication required
[10405] 1496867076.745092: Processing preauth types: 16, 15, 14, 136, 19, 147, 2, 133
[10405] 1496867076.745117: Selected etype info: etype aes256-cts, salt "\u@&&a_Y&JO#noFf", params ""
[10405] 1496867076.745124: Received cookie: MIT
[10405] 1496867076.745327: Preauth module pkinit (147) (info) returned: 0/Success
[10405] 1496867076.746121: PKINIT client computed kdc-req-body checksum 9/55D4408C0BA71C9FEE06ECB447757D4DC5C1C632
[10405] 1496867076.746133: PKINIT client making DH request
[10405] 1496867076.766678: Preauth module pkinit (16) (real) returned: 0/Success
[10405] 1496867076.766698: Produced preauth for next request: 133, 16
[10405] 1496867076.766720: Sending request (4080 bytes) to TESTRELM.TEST
[10405] 1496867076.766778: Initiating TCP connection to stream IPASERVER_IPSCRUBBED:88
[10405] 1496867076.786925: Sending TCP request to stream IPASERVER_IPSCRUBBED:88
[10405] 1496867076.827660: Received answer (3493 bytes) from stream IPASERVER_IPSCRUBBED:88
[10405] 1496867076.827689: Terminating TCP connection to stream IPASERVER_IPSCRUBBED:88
[10405] 1496867076.827744: Response was from master KDC
[10405] 1496867076.827817: Processing preauth types: 17, 19
[10405] 1496867076.827828: Selected etype info: etype aes256-cts, salt "\u@&&a_Y&JO#noFf", params ""
[10405] 1496867076.828162: PKINIT client verified DH reply
[10405] 1496867076.828176: PKINIT client config accepts KDC dNSName SAN 
[10405] 1496867076.828189: PKINIT client found id-pkinit-san in KDC cert: krbtgt/TESTRELM.TEST@TESTRELM.TEST
[10405] 1496867076.828196: PKINIT client matched KDC principal krbtgt/TESTRELM.TEST@TESTRELM.TEST against id-pkinit-san; no EKU check required
[10405] 1496867076.834978: PKINIT client used KDF 2B06010502030602 to compute reply key aes256-cts/38EB
[10405] 1496867076.835002: Preauth module pkinit (17) (real) returned: 0/Success
[10405] 1496867076.835016: Produced preauth for next request: (empty)
[10405] 1496867076.835021: AS key determined by preauth: aes256-cts/38EB
[10405] 1496867076.835075: Decrypted AS reply; session key is: aes256-cts/CB62
[10405] 1496867076.835100: FAST negotiation: available
[10405] 1496867076.835121: Initializing FILE:./cc.cache with default princ demosc1@TESTRELM.TEST
[10405] 1496867076.835314: Storing demosc1@TESTRELM.TEST -> krbtgt/TESTRELM.TEST@TESTRELM.TEST in FILE:./cc.cache
[10405] 1496867076.835358: Storing config in FILE:./cc.cache for krbtgt/TESTRELM.TEST@TESTRELM.TEST: fast_avail: yes
[10405] 1496867076.835385: Storing demosc1@TESTRELM.TEST -> krb5_ccache_conf_data/fast_avail/krbtgt\/TESTRELM.TEST\@TESTRELM.TEST@X-CACHECONF: in FILE:./cc.cache
[10405] 1496867076.835408: Storing config in FILE:./cc.cache for krbtgt/TESTRELM.TEST@TESTRELM.TEST: pa_type: 16
[10405] 1496867076.835428: Storing demosc1@TESTRELM.TEST -> krb5_ccache_conf_data/pa_type/krbtgt\/TESTRELM.TEST\@TESTRELM.TEST@X-CACHECONF: in FILE:./cc.cache
[10405] 1496867076.835453: Storing config in FILE:./cc.cache for krbtgt/TESTRELM.TEST@TESTRELM.TEST: pa_config_data: {"X509_user_identity":"FILE:./demosc1.crt,./demosc1.key"}
[10405] 1496867076.835473: Storing demosc1@TESTRELM.TEST -> krb5_ccache_conf_data/pa_config_data/krbtgt\/TESTRELM.TEST\@TESTRELM.TEST@X-CACHECONF: in FILE:./cc.cache






[root@dhcp129-184 test]#    KRB5CCNAME=./cc.cache    KRB5_TRACE=/dev/stderr    kvno foobar/`hostname`[10407] 1496867083.258804: Getting credentials demosc1@TESTRELM.TEST -> foobar/dhcp129-184.clientdomain.com@TESTRELM.TEST using ccache FILE:./cc.cache
[10407] 1496867083.259167: Retrieving demosc1@TESTRELM.TEST -> foobar/dhcp129-184.clientdomain.com@TESTRELM.TEST from FILE:./cc.cache with result: -1765328243/Matching credential not found (filename: ./cc.cache)
[10407] 1496867083.259434: Retrieving demosc1@TESTRELM.TEST -> krbtgt/TESTRELM.TEST@TESTRELM.TEST from FILE:./cc.cache with result: 0/Success
[10407] 1496867083.259459: Starting with TGT for client realm: demosc1@TESTRELM.TEST -> krbtgt/TESTRELM.TEST@TESTRELM.TEST
[10407] 1496867083.259475: Requesting tickets for foobar/dhcp129-184.clientdomain.com@TESTRELM.TEST, referrals on
[10407] 1496867083.259555: Generated subkey for TGS request: aes256-cts/37F3
[10407] 1496867083.259644: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[10407] 1496867083.259854: Encoding request body and padata into FAST request
[10407] 1496867083.259974: Sending request (1710 bytes) to TESTRELM.TEST
[10407] 1496867083.260260: Initiating TCP connection to stream IPASERVER_IPSCRUBBED:88
[10407] 1496867083.280546: Sending TCP request to stream IPASERVER_IPSCRUBBED:88
[10407] 1496867083.303594: Received answer (1653 bytes) from stream IPASERVER_IPSCRUBBED:88
[10407] 1496867083.303622: Terminating TCP connection to stream IPASERVER_IPSCRUBBED:88
[10407] 1496867083.303678: Response was from master KDC
[10407] 1496867083.303746: Decoding FAST response
[10407] 1496867083.303834: FAST reply key: aes256-cts/CDEC
[10407] 1496867083.303866: TGS reply is for demosc1@TESTRELM.TEST -> foobar/dhcp129-184.clientdomain.com@TESTRELM.TEST with session key aes256-cts/5328
[10407] 1496867083.303893: TGS request result: 0/Success
[10407] 1496867083.303900: Received creds for desired service foobar/dhcp129-184.clientdomain.com@TESTRELM.TEST
[10407] 1496867083.303912: Storing demosc1@TESTRELM.TEST -> foobar/dhcp129-184.clientdomain.com@TESTRELM.TEST in FILE:./cc.cache
foobar/dhcp129-184.clientdomain.com@TESTRELM.TEST: kvno = 1

Comment 15 errata-xmlrpc 2017-08-01 09:46:16 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304


Note You need to log in before you can comment on or make changes to this bug.