RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1540130 - [RFE] make preauth types more descriptive in krb5 trace
Summary: [RFE] make preauth types more descriptive in krb5 trace
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: krb5
Version: 7.4
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Robbie Harwood
QA Contact: Patrik Kis
URL: https://github.com/krb5/krb5/pull/746
Whiteboard:
Depends On: 1540086
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-01-30 10:29 UTC by Robbie Harwood
Modified: 2018-10-30 08:08 UTC (History)
10 users (show)

Fixed In Version: krb5-1.15.1-32.el7
Doc Type: Enhancement
Doc Text:
Feature: human-readable preauth names in krb5 traces Reason: debugability, especially for support Result: fewer magic numbers in debug output
Clone Of: 1540086
Environment:
Last Closed: 2018-10-30 08:08:00 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:3071 0 None None None 2018-10-30 08:08:49 UTC

Description Robbie Harwood 2018-01-30 10:29:01 UTC 
+++ This bug was initially created as a clone of Bug #1540086 +++

When pre-auth mechanisms reported in an AS-REQ/AS-REP exchange between Kerberos initiator and a KDC, there is no way to tell what they are except knowing them by heart.

It would be nice to have KRB5_TRACE to provide a name of a preauth module that handles a specific mechanism.

An example:
$ KRB5_TRACE=/dev/stderr kinit abbra
[30477] 1517302644.484474: Resolving unique ccache of type KEYRING
[30477] 1517302644.484475: Getting initial credentials for abbra
[30477] 1517302644.484477: Sending request (183 bytes) to FEDORAPROJECT.ORG
[30477] 1517302644.484478: Resolving hostname id.fedoraproject.org
[30477] 1517302645.51056: TLS certificate name matched "id.fedoraproject.org"
[30477] 1517302645.51057: Sending HTTPS request to https 140.211.169.206:443
[30477] 1517302645.51058: Received answer (317 bytes) from https 140.211.169.206:443
[30477] 1517302645.51059: Terminating TCP connection to https 140.211.169.206:443
[30477] 1517302646.200324: Response was not from master KDC
[30477] 1517302646.200325: Received error from KDC: -1765328359/Additional pre-authentication required
[30477] 1517302646.200328: Processing preauth types: 16, 15, 14, 136, 19, 147, 2, 133

In the line above we have a list of preauth types returned by the KDC but no explanation on what the preauth modules could handle them.

[30477] 1517302646.200329: Selected etype info: etype aes256-cts, salt " !;%S"YOH=nT;>h>", params ""
[30477] 1517302646.200330: Received cookie: MIT
Password for abbra: 
[30477] 1517302651.883541: AS key obtained for encrypted timestamp: aes256-cts/02B4
[30477] 1517302651.883543: Encrypted timestamp (for 1517302651.177437): plain 301AA011180F32303138303133303038353733315AA105020302B51D, encrypted A62EAB9C8913CCE3C6B7E955B830510CC42F565DF925A63C97E6178EC245F17D4C871148DECA652E9A64120ED608E8283E06C9B284B4EEEE
[30477] 1517302651.883544: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[30477] 1517302651.883545: Produced preauth for next request: 133, 2

Here we chose two modules for next request but only one module explains its preauth type. It would be good to have all of them covered.

[30477] 1517302651.883546: Sending request (278 bytes) to FEDORAPROJECT.ORG
[30477] 1517302651.883547: Resolving hostname id.fedoraproject.org
[30477] 1517302652.258952: TLS certificate name matched "id.fedoraproject.org"
[30477] 1517302652.258953: Sending HTTPS request to https 209.132.190.2:443
[30477] 1517302652.258954: Received answer (743 bytes) from https 209.132.190.2:443
[30477] 1517302652.258955: Terminating TCP connection to https 209.132.190.2:443
[30477] 1517302653.408571: Response was not from master KDC
[30477] 1517302653.408572: Processing preauth types: 19

Here we get another preauth type response but no explanation of the module handling the type.

[30477] 1517302653.408573: Selected etype info: etype aes256-cts, salt " !;%S"YOH=nT;>h>", params ""
[30477] 1517302653.408574: Produced preauth for next request: (empty)
[30477] 1517302653.408575: AS key determined by preauth: aes256-cts/02B4
[30477] 1517302653.408576: Decrypted AS reply; session key is: aes256-cts/01D7
[30477] 1517302653.408577: FAST negotiation: available

Having preauth module name annotated next to the preauth type could help with debugging and also to support cases.
Comment 10 errata-xmlrpc 2018-10-30 08:08:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3071
Note You need to log in before you can comment on or make changes to this bug.