Red Hat Bugzilla – Bug 1435606
Add pkinit_indicator option to KDC configuration
Last modified: 2017-08-01 05:46:16 EDT
Cloned from upstream: https://pagure.io/freeipa/issue/6736 To have a consistent default authentication indicator for pkinit even if no additional certauth plugins are used it would be good to add the 'pkinit_indicator' with a suitable identifier to kdc.conf during updates and fresh installations.
Upstream ticket: https://pagure.io/freeipa/issue/6736
Fixed upstream master: https://pagure.io/freeipa/c/e8a7e2e38ad7cea2964305247430e964d2b785b1 ipa-4-5: https://pagure.io/freeipa/c/ca02cea8dfd63290e4821833fc2ac7d457290e9f
Petr, How can I verify this?
I think I got a verification from Sumit earlier. I'll use that. If I need to run anything else that I'm missing there, I can add that after.
Verified. Version :: ipa-server-4.5.0-15.el7.x86_64 Results :: ############################### # First we'll confirm authentication indicators working for pkinit # to do this we'll sanity check that using pkinit when otp is set fails: # ON IPA Server: [root@auto-hv-02-guest08 ~]# ipa host-mod dhcp129-184.clientdomain.com --auth-ind=otp ------------------------------------------ Modified host "dhcp129-184.clientdomain.com" ------------------------------------------ Host name: dhcp129-184.clientdomain.com Principal name: host/dhcp129-184.clientdomain.com@TESTRELM.TEST Principal alias: host/dhcp129-184.clientdomain.com@TESTRELM.TEST SSH public key fingerprint: SHA256:+nkYOvnqTqC678NZmyeYil7MIo3iYhLoAyhqxjGGiAA (ssh-rsa), SHA256:FnkmkVsK0C9wlD+FlRHB/kjr1Anq13b5i/Vo+9+1vFM (ecdsa-sha2-nistp256), SHA256:Yef8MFj4wcuOM2/b5DQa8JxDPo2OX774h5s8aVE7oGk (ssh-ed25519) Authentication Indicators: otp Password: False Keytab: True Managed by: dhcp129-184.clientdomain.com # On Client: [root@dhcp129-184 ~]# su - demosc2 Last login: Wed Jun 7 12:03:32 MDT 2017 on pts/0 -sh-4.2$ su - demosc1 PIN for demosc1 (OpenSC Card) su: Authentication failure # Now we'll set auth-ind to pkinit and see it pass: # ON IPA Server: [root@auto-hv-02-guest08 ~]# ipa host-mod dhcp129-184.clientdomain.com --auth-ind=pkinit ------------------------------------------ Modified host "dhcp129-184.clientdomain.com" ------------------------------------------ Host name: dhcp129-184.clientdomain.com Principal name: host/dhcp129-184.clientdomain.com@TESTRELM.TEST Principal alias: host/dhcp129-184.clientdomain.com@TESTRELM.TEST SSH public key fingerprint: SHA256:+nkYOvnqTqC678NZmyeYil7MIo3iYhLoAyhqxjGGiAA (ssh-rsa), SHA256:FnkmkVsK0C9wlD+FlRHB/kjr1Anq13b5i/Vo+9+1vFM (ecdsa-sha2-nistp256), SHA256:Yef8MFj4wcuOM2/b5DQa8JxDPo2OX774h5s8aVE7oGk (ssh-ed25519) Authentication Indicators: pkinit Password: False Keytab: True Managed by: dhcp129-184.clientdomain.com # ON Client: -sh-4.2$ su - demosc1 PIN for demosc1 (OpenSC Card) Last login: Wed Jun 7 12:03:41 MDT 2017 on pts/0 Last failed login: Wed Jun 7 12:10:24 MDT 2017 on pts/0 There was 1 failed login attempt since the last successful login. -sh-4.2$ whoami demosc1 ###################################### # Next we will confirm that with auth-ind=pkinit, we cannot login from a client not using pkinit: # ON Client2, I install ipa client and comment out pkinit entries from krb5.conf just to be safe: [realms] TESTRELM.TEST = { # pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem # pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem # Now I kinit as user and ssh to host with pkinit set for auth-ind: [root@vm-idm-014 ~]# kinit demosc1 Password for demosc1@TESTRELM.TEST: [root@vm-idm-014 ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: demosc1@TESTRELM.TEST Valid starting Expires Service principal 06/08/2017 00:13:23 06/09/2017 00:13:19 krbtgt/TESTRELM.TEST@TESTRELM.TEST [root@vm-idm-014 ~]# ssh -l demosc1 dhcp129-184.clientdomain.com Password: Password: Password: # ^^ Note that it prompts for password and login fails ^^ # Now to confirm that I can login withouth pkinit I remove it from host auth-ind and try again: [root@auto-hv-02-guest08 ~]# ipa host-mod dhcp129-184.clientdomain.com --auth-ind='' ------------------------------------------ Modified host "dhcp129-184.clientdomain.com" ------------------------------------------ Host name: dhcp129-184.clientdomain.com Principal name: host/dhcp129-184.clientdomain.com@TESTRELM.TEST Principal alias: host/dhcp129-184.clientdomain.com@TESTRELM.TEST SSH public key fingerprint: SHA256:+nkYOvnqTqC678NZmyeYil7MIo3iYhLoAyhqxjGGiAA (ssh-rsa), SHA256:FnkmkVsK0C9wlD+FlRHB/kjr1Anq13b5i/Vo+9+1vFM (ecdsa-sha2-nistp256), SHA256:Yef8MFj4wcuOM2/b5DQa8JxDPo2OX774h5s8aVE7oGk (ssh-ed25519) Password: False Keytab: True Managed by: dhcp129-184.clientdomain.com [root@vm-idm-014 ~]# ssh -l demosc1 dhcp129-184.clientdomain.com Last failed login: Wed Jun 7 12:44:35 MDT 2017 from IPSCRUBBED on ssh:notty There were 2 failed login attempts since the last successful login. Last login: Wed Jun 7 12:10:49 2017 -sh-4.2$ exit logout
To verify create a service, retrieve a keytab for it, set an indicator 'pkinit' on the service and attempt to obtain a ticket to the service without and with PKINIT. 0. Kinit as admin without using PKINIT: kinit admin 1. ipa service-add foobar/`hostname` 2. ipa service-mod foobar/`hostname` --auth-ind=pkinit 3. ipa-getkeytab -p foobar/`hostname` -k ./foobar.keytab 4. Attempt to obtain the ticket to foobar/`hostname` as 'admin' KRB5_TRACE=/dev/stderr \ kvno foobar/`hostname` 5. Now kinit with certificate: KRB5CCNAME=./cc.cache \ KRB5_TRACE=/dev/stderr \ kinit -X X509_user_identity=FILE:./someuser.crt,./someuserkey.pem someuser 6. Attempt to obtain ticket as user using a PKINIT-based ticket: KRB5CCNAME=./cc.cache \ KRB5_TRACE=/dev/stderr \ kvno foobar/`hostname` In step (4) your operation should be denied with a message "KDC policy rejects request". In step (6) your operation should succeed and show KVNO of the foobar/`hostname`.
Thanks, Scott. I was finishing my verification steps by the time you posted an update. I included my steps as well to make sure they are documented.
Ok, I ran your method as well to cover that method as well: [root@dhcp129-184 sssd]# kinit admin Password for admin@TESTRELM.TEST: [root@dhcp129-184 sssd]# ipa service-add foobar/`hostname` --------------------------------------------------------------- Added service "foobar/dhcp129-184.clientdomain.com@TESTRELM.TEST" --------------------------------------------------------------- Principal name: foobar/dhcp129-184.clientdomain.com@TESTRELM.TEST Principal alias: foobar/dhcp129-184.clientdomain.com@TESTRELM.TEST Managed by: dhcp129-184.clientdomain.com [root@dhcp129-184 sssd]# ipa service-mod foobar/`hostname` --auth-ind=pkinit ------------------------------------------------------------------ Modified service "foobar/dhcp129-184.clientdomain.com@TESTRELM.TEST" ------------------------------------------------------------------ Principal name: foobar/dhcp129-184.clientdomain.com@TESTRELM.TEST Principal alias: foobar/dhcp129-184.clientdomain.com@TESTRELM.TEST Authentication Indicators: pkinit Managed by: dhcp129-184.clientdomain.com [root@dhcp129-184 sssd]# ipa-getkeytab -p foobar/`hostname` -k ./foobar.keytab Keytab successfully retrieved and stored in: ./foobar.keytab [root@dhcp129-184 sssd]# KRB5_TRACE=/dev/stderr kvno foobar/`hostname` ... kvno: KDC policy rejects request while getting credentials for foobar/dhcp129-184.clientdomain.com@TESTRELM.TEST [root@dhcp129-184 test]# KRB5CCNAME=./cc.cache KRB5_TRACE=/dev/stderr kinit -X X509_user_identity=FILE:./demosc1.crt,./demosc1.key demosc1 [10405] 1496867076.701623: Getting initial credentials for demosc1@TESTRELM.TEST [10405] 1496867076.701863: Sending request (177 bytes) to TESTRELM.TEST [10405] 1496867076.702138: Initiating TCP connection to stream IPASERVER_IPSCRUBBED:88 [10405] 1496867076.722477: Sending TCP request to stream IPASERVER_IPSCRUBBED:88 [10405] 1496867076.744842: Received answer (307 bytes) from stream IPASERVER_IPSCRUBBED:88 [10405] 1496867076.744863: Terminating TCP connection to stream IPASERVER_IPSCRUBBED:88 [10405] 1496867076.744919: Response was from master KDC [10405] 1496867076.745044: Received error from KDC: -1765328359/Additional pre-authentication required [10405] 1496867076.745092: Processing preauth types: 16, 15, 14, 136, 19, 147, 2, 133 [10405] 1496867076.745117: Selected etype info: etype aes256-cts, salt "\u@&&a_Y&JO#noFf", params "" [10405] 1496867076.745124: Received cookie: MIT [10405] 1496867076.745327: Preauth module pkinit (147) (info) returned: 0/Success [10405] 1496867076.746121: PKINIT client computed kdc-req-body checksum 9/55D4408C0BA71C9FEE06ECB447757D4DC5C1C632 [10405] 1496867076.746133: PKINIT client making DH request [10405] 1496867076.766678: Preauth module pkinit (16) (real) returned: 0/Success [10405] 1496867076.766698: Produced preauth for next request: 133, 16 [10405] 1496867076.766720: Sending request (4080 bytes) to TESTRELM.TEST [10405] 1496867076.766778: Initiating TCP connection to stream IPASERVER_IPSCRUBBED:88 [10405] 1496867076.786925: Sending TCP request to stream IPASERVER_IPSCRUBBED:88 [10405] 1496867076.827660: Received answer (3493 bytes) from stream IPASERVER_IPSCRUBBED:88 [10405] 1496867076.827689: Terminating TCP connection to stream IPASERVER_IPSCRUBBED:88 [10405] 1496867076.827744: Response was from master KDC [10405] 1496867076.827817: Processing preauth types: 17, 19 [10405] 1496867076.827828: Selected etype info: etype aes256-cts, salt "\u@&&a_Y&JO#noFf", params "" [10405] 1496867076.828162: PKINIT client verified DH reply [10405] 1496867076.828176: PKINIT client config accepts KDC dNSName SAN [10405] 1496867076.828189: PKINIT client found id-pkinit-san in KDC cert: krbtgt/TESTRELM.TEST@TESTRELM.TEST [10405] 1496867076.828196: PKINIT client matched KDC principal krbtgt/TESTRELM.TEST@TESTRELM.TEST against id-pkinit-san; no EKU check required [10405] 1496867076.834978: PKINIT client used KDF 2B06010502030602 to compute reply key aes256-cts/38EB [10405] 1496867076.835002: Preauth module pkinit (17) (real) returned: 0/Success [10405] 1496867076.835016: Produced preauth for next request: (empty) [10405] 1496867076.835021: AS key determined by preauth: aes256-cts/38EB [10405] 1496867076.835075: Decrypted AS reply; session key is: aes256-cts/CB62 [10405] 1496867076.835100: FAST negotiation: available [10405] 1496867076.835121: Initializing FILE:./cc.cache with default princ demosc1@TESTRELM.TEST [10405] 1496867076.835314: Storing demosc1@TESTRELM.TEST -> krbtgt/TESTRELM.TEST@TESTRELM.TEST in FILE:./cc.cache [10405] 1496867076.835358: Storing config in FILE:./cc.cache for krbtgt/TESTRELM.TEST@TESTRELM.TEST: fast_avail: yes [10405] 1496867076.835385: Storing demosc1@TESTRELM.TEST -> krb5_ccache_conf_data/fast_avail/krbtgt\/TESTRELM.TEST\@TESTRELM.TEST@X-CACHECONF: in FILE:./cc.cache [10405] 1496867076.835408: Storing config in FILE:./cc.cache for krbtgt/TESTRELM.TEST@TESTRELM.TEST: pa_type: 16 [10405] 1496867076.835428: Storing demosc1@TESTRELM.TEST -> krb5_ccache_conf_data/pa_type/krbtgt\/TESTRELM.TEST\@TESTRELM.TEST@X-CACHECONF: in FILE:./cc.cache [10405] 1496867076.835453: Storing config in FILE:./cc.cache for krbtgt/TESTRELM.TEST@TESTRELM.TEST: pa_config_data: {"X509_user_identity":"FILE:./demosc1.crt,./demosc1.key"} [10405] 1496867076.835473: Storing demosc1@TESTRELM.TEST -> krb5_ccache_conf_data/pa_config_data/krbtgt\/TESTRELM.TEST\@TESTRELM.TEST@X-CACHECONF: in FILE:./cc.cache [root@dhcp129-184 test]# KRB5CCNAME=./cc.cache KRB5_TRACE=/dev/stderr kvno foobar/`hostname`[10407] 1496867083.258804: Getting credentials demosc1@TESTRELM.TEST -> foobar/dhcp129-184.clientdomain.com@TESTRELM.TEST using ccache FILE:./cc.cache [10407] 1496867083.259167: Retrieving demosc1@TESTRELM.TEST -> foobar/dhcp129-184.clientdomain.com@TESTRELM.TEST from FILE:./cc.cache with result: -1765328243/Matching credential not found (filename: ./cc.cache) [10407] 1496867083.259434: Retrieving demosc1@TESTRELM.TEST -> krbtgt/TESTRELM.TEST@TESTRELM.TEST from FILE:./cc.cache with result: 0/Success [10407] 1496867083.259459: Starting with TGT for client realm: demosc1@TESTRELM.TEST -> krbtgt/TESTRELM.TEST@TESTRELM.TEST [10407] 1496867083.259475: Requesting tickets for foobar/dhcp129-184.clientdomain.com@TESTRELM.TEST, referrals on [10407] 1496867083.259555: Generated subkey for TGS request: aes256-cts/37F3 [10407] 1496867083.259644: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts [10407] 1496867083.259854: Encoding request body and padata into FAST request [10407] 1496867083.259974: Sending request (1710 bytes) to TESTRELM.TEST [10407] 1496867083.260260: Initiating TCP connection to stream IPASERVER_IPSCRUBBED:88 [10407] 1496867083.280546: Sending TCP request to stream IPASERVER_IPSCRUBBED:88 [10407] 1496867083.303594: Received answer (1653 bytes) from stream IPASERVER_IPSCRUBBED:88 [10407] 1496867083.303622: Terminating TCP connection to stream IPASERVER_IPSCRUBBED:88 [10407] 1496867083.303678: Response was from master KDC [10407] 1496867083.303746: Decoding FAST response [10407] 1496867083.303834: FAST reply key: aes256-cts/CDEC [10407] 1496867083.303866: TGS reply is for demosc1@TESTRELM.TEST -> foobar/dhcp129-184.clientdomain.com@TESTRELM.TEST with session key aes256-cts/5328 [10407] 1496867083.303893: TGS request result: 0/Success [10407] 1496867083.303900: Received creds for desired service foobar/dhcp129-184.clientdomain.com@TESTRELM.TEST [10407] 1496867083.303912: Storing demosc1@TESTRELM.TEST -> foobar/dhcp129-184.clientdomain.com@TESTRELM.TEST in FILE:./cc.cache foobar/dhcp129-184.clientdomain.com@TESTRELM.TEST: kvno = 1
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304