Bug 1540130 - [RFE] make preauth types more descriptive in krb5 trace
Summary: [RFE] make preauth types more descriptive in krb5 trace
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: krb5
Version: 7.4
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Robbie Harwood
QA Contact: Patrik Kis
URL: https://github.com/krb5/krb5/pull/746
Whiteboard:
Depends On: 1540086
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-01-30 10:29 UTC by Robbie Harwood
Modified: 2018-10-30 08:08 UTC (History)
10 users (show)

Fixed In Version: krb5-1.15.1-32.el7
Doc Type: Enhancement
Doc Text:
Feature: human-readable preauth names in krb5 traces Reason: debugability, especially for support Result: fewer magic numbers in debug output
Clone Of: 1540086
Environment:
Last Closed: 2018-10-30 08:08:00 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:3071 None None None 2018-10-30 08:08:49 UTC

Description Robbie Harwood 2018-01-30 10:29:01 UTC
+++ This bug was initially created as a clone of Bug #1540086 +++

When pre-auth mechanisms reported in an AS-REQ/AS-REP exchange between Kerberos initiator and a KDC, there is no way to tell what they are except knowing them by heart.

It would be nice to have KRB5_TRACE to provide a name of a preauth module that handles a specific mechanism.

An example:
$ KRB5_TRACE=/dev/stderr kinit abbra@FEDORAPROJECT.ORG
[30477] 1517302644.484474: Resolving unique ccache of type KEYRING
[30477] 1517302644.484475: Getting initial credentials for abbra@FEDORAPROJECT.ORG
[30477] 1517302644.484477: Sending request (183 bytes) to FEDORAPROJECT.ORG
[30477] 1517302644.484478: Resolving hostname id.fedoraproject.org
[30477] 1517302645.51056: TLS certificate name matched "id.fedoraproject.org"
[30477] 1517302645.51057: Sending HTTPS request to https 140.211.169.206:443
[30477] 1517302645.51058: Received answer (317 bytes) from https 140.211.169.206:443
[30477] 1517302645.51059: Terminating TCP connection to https 140.211.169.206:443
[30477] 1517302646.200324: Response was not from master KDC
[30477] 1517302646.200325: Received error from KDC: -1765328359/Additional pre-authentication required
[30477] 1517302646.200328: Processing preauth types: 16, 15, 14, 136, 19, 147, 2, 133

In the line above we have a list of preauth types returned by the KDC but no explanation on what the preauth modules could handle them.

[30477] 1517302646.200329: Selected etype info: etype aes256-cts, salt " !;%S"YOH=nT;>h>", params ""
[30477] 1517302646.200330: Received cookie: MIT
Password for abbra@FEDORAPROJECT.ORG: 
[30477] 1517302651.883541: AS key obtained for encrypted timestamp: aes256-cts/02B4
[30477] 1517302651.883543: Encrypted timestamp (for 1517302651.177437): plain 301AA011180F32303138303133303038353733315AA105020302B51D, encrypted A62EAB9C8913CCE3C6B7E955B830510CC42F565DF925A63C97E6178EC245F17D4C871148DECA652E9A64120ED608E8283E06C9B284B4EEEE
[30477] 1517302651.883544: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[30477] 1517302651.883545: Produced preauth for next request: 133, 2

Here we chose two modules for next request but only one module explains its preauth type. It would be good to have all of them covered.

[30477] 1517302651.883546: Sending request (278 bytes) to FEDORAPROJECT.ORG
[30477] 1517302651.883547: Resolving hostname id.fedoraproject.org
[30477] 1517302652.258952: TLS certificate name matched "id.fedoraproject.org"
[30477] 1517302652.258953: Sending HTTPS request to https 209.132.190.2:443
[30477] 1517302652.258954: Received answer (743 bytes) from https 209.132.190.2:443
[30477] 1517302652.258955: Terminating TCP connection to https 209.132.190.2:443
[30477] 1517302653.408571: Response was not from master KDC
[30477] 1517302653.408572: Processing preauth types: 19

Here we get another preauth type response but no explanation of the module handling the type.

[30477] 1517302653.408573: Selected etype info: etype aes256-cts, salt " !;%S"YOH=nT;>h>", params ""
[30477] 1517302653.408574: Produced preauth for next request: (empty)
[30477] 1517302653.408575: AS key determined by preauth: aes256-cts/02B4
[30477] 1517302653.408576: Decrypted AS reply; session key is: aes256-cts/01D7
[30477] 1517302653.408577: FAST negotiation: available

Having preauth module name annotated next to the preauth type could help with debugging and also to support cases.

Comment 10 errata-xmlrpc 2018-10-30 08:08:00 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3071


Note You need to log in before you can comment on or make changes to this bug.