Red Hat Bugzilla – Bug 1571754
kinit failing for radius user when FIPS mode is enabled
Last modified: 2018-10-30 06:44:14 EDT
Description of problem: kinit failing for radius user when FIPS mode is enabled Version-Release number of selected component (if applicable): ipa-server-4.5.4-10.el7_5.1.x86_64 How reproducible: always Steps to Reproduce: 1) yum install freeradius freeradius-ldap freeradius-utils 2) add ipa user $ ipa user-add --first None --last None radiususer --passwd 3) add radiusproxy $ ipa radiusproxy-add radiusproxy01 --server=127.0.0.1 4) modify radius user $ kinit admin $ ipa user-mod --user-auth-type=radius radiususer $ ipa user-mod --radius=radiusproxy01 5) add following user entry to /etc/raddb/users radiususer Cleartext-Password := "Secret123" 6) start radisud $ systemctl start radiusd 7) try login $ kdestroy -A $ kswitch -c KEYRING:persistent:0:0 $ kinit admin $ kinit -T KEYRING:persistent:0:0 radiususer Actual results: kinit: Preauthentication failed while getting initial credentials Expected results: kinit pass
Upstream ticket: https://pagure.io/freeipa/issue/7551
Do we have a test setup for this? Would help to identify which component needs fixed.
Hi Robbie, I don't have setup at the moment. I'll spin one and provide machine details.
Thanks Mohammad. It appears that radiusd dying to SIGABRT causes the kinit failure. Here's a traceback: (gdb) bt #0 0x00007fd37e774207 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #1 0x00007fd37e7758f8 in __GI_abort () at abort.c:90 #2 0x00007fd37ff2b98f in OpenSSLDie (file=file@entry=0x7fd38006dcd3 "md5_dgst.c", line=line@entry=82, assertion=assertion@entry=0x7fd38006dcb0 "Digest MD5 forbidden in FIPS mode!") at cryptlib.c:1002 #3 0x00007fd37ff32209 in MD5_Init (c=c@entry=0x7fd3775578c0) at md5_dgst.c:82 #4 0x00007fd3805491bc in rad_pwdecode ( passwd=passwd@entry=0x7fd377557a90 "\277!\211\020\324i\017m\215\346\v\352\037\375", <incomplete sequence \347>, pwlen=pwlen@entry=16, secret=secret@entry=0x557522ecbb80 "testing123", vector=vector@entry=0x557522f94fa8 "\241\201\005[(\224\206^\200P\313\066\024\202Q!\241\201\005[") at src/lib/radius.c:4466 #5 0x00007fd38054a60a in data2vp (ctx=ctx@entry=0x557522f94f60, packet=packet@entry=0x557522f94f60, original=original@entry=0x0, secret=secret@entry=0x557522ecbb80 "testing123", da=0x557522cf1940, start=start@entry=0x557522f9509e "\277!\211\020\324i\017m\215\346\v\352\037\375", <incomplete sequence \347>, attrlen=16, packetlen=16, pvp=pvp@entry=0x7fd377557c78) at src/lib/radius.c:3721 #6 0x00007fd38054af5d in rad_attr2vp (ctx=ctx@entry=0x557522f94f60, packet=packet@entry=0x557522f94f60, original=original@entry=0x0, secret=secret@entry=0x557522ecbb80 "testing123", data=data@entry=0x557522f9509c "\002\022\277!\211\020\324i\017m\215\346\v\352\037\375", <incomplete sequence \347>, length=length@entry=18, pvp=pvp@entry=0x7fd377557c78) at src/lib/radius.c:4144 #7 0x00007fd38054cf8f in rad_decode (packet=0x557522f94f60, original=0x0, secret=0x557522ecbb80 "testing123") at src/lib/radius.c:4309 #8 0x0000557521c21868 in request_pre_handler (action=1, request=0x557522f95110) at src/main/process.c:1236 #9 request_running (request=0x557522f95110, action=<optimized out>) at src/main/process.c:1523 #10 0x0000557521c1a7bc in request_handler_thread (arg=0x557522f86790) at src/main/threads.c:698 #11 0x00007fd37ef8fdd5 in start_thread (arg=0x7fd377558700) at pthread_create.c:308 #12 0x00007fd37e83cb3d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 (gdb) This looks like an openssl assertion. In MD5_Init (#3), it's checking for FIPS mode and then dying. Right at that line, there appears to be an env var OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW that is also checked, but I can't actually find any docs on it. Probably best to check with openssl developers.
This environmental variable is described in https://bugzilla.redhat.com/show_bug.cgi?id=673071
I guess one possibility to avoid code modification is to add this variable to the systemd unit for radiusd. I did that on the test system and while radiusd didn't fail, it rejected the request. # /etc/systemd/system/radiusd.service.d/ipa-otp.conf [Service] Environment=OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW=1 [root@master ~]# systemctl daemon-reload [root@master ~]# systemctl start radiusd [root@master ~]# kinit -n [root@master ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_dfgnkl1 Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS Valid starting Expires Service principal 23.05.2018 12.20.36 24.05.2018 12.20.36 krbtgt/TESTRELM.TEST@TESTRELM.TEST [root@master ~]# kinit -T KEYRING:persistent:0:krb_ccache_dfgnkl1 radiususer Enter OTP Token Value: kinit: Preauthentication failed while getting initial credentials [root@master ~]# journalctl -f -- Logs begin at ti 2018-05-22 06:42:11 EDT. -- touko 23 12:19:27 master.testrelm.test polkitd[1016]: Unregistered Authentication Agent for unix-process:13506:10663663 (system bus name :1.296, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus) touko 23 12:20:01 master.testrelm.test systemd[1]: Started Session 95 of user root. touko 23 12:20:01 master.testrelm.test systemd[1]: Starting Session 95 of user root. touko 23 12:20:01 master.testrelm.test CROND[13529]: (root) CMD (test -f /var/lock/subsys/ods-enforcerd && kill -s SIGHUP `cat /var/run/opendnssec/enforcerd.pid` > /dev/null 2> /dev/null) touko 23 12:21:03 master.testrelm.test ipa-otpd[13070]: radiususer@TESTRELM.TEST: request received touko 23 12:21:03 master.testrelm.test ipa-otpd[13070]: radiususer@TESTRELM.TEST: user query start touko 23 12:21:03 master.testrelm.test ipa-otpd[13070]: radiususer@TESTRELM.TEST: user query end: uid=radiususer,cn=users,cn=accounts,dc=testrelm,dc=test touko 23 12:21:03 master.testrelm.test ipa-otpd[13070]: radiususer@TESTRELM.TEST: radius query start: cn=radiusproxy01,cn=radiusproxy,dc=testrelm,dc=test touko 23 12:21:03 master.testrelm.test ipa-otpd[13070]: radiususer@TESTRELM.TEST: radius query end: 127.0.0.1 touko 23 12:21:03 master.testrelm.test ipa-otpd[13070]: radiususer@TESTRELM.TEST: forward start: radiususer / 127.0.0.1 touko 23 12:21:18 master.testrelm.test ipa-otpd[13070]: radiususer@TESTRELM.TEST: forward end: Connection timed out touko 23 12:21:18 master.testrelm.test ipa-otpd[13070]: radiususer@TESTRELM.TEST: response sent: Access-Reject ^C
Ok, this was misconfiguration on the radiusproxy side: [root@master ~]# ipa radiusproxy-mod radiusproxy01 --secret Secret: Enter Secret again to verify: -------------------------------------------- Modified RADIUS proxy server "radiusproxy01" -------------------------------------------- RADIUS proxy server name: radiusproxy01 Server: 127.0.0.1 Secret: SOME-SECRET-AS-DEFINED-in-clients.conf [root@master ~]# kinit -T KEYRING:persistent:0:krb_ccache_dfgnkl1 radiususer Enter OTP Token Value: [root@master ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_5sMKPvE Default principal: radiususer@TESTRELM.TEST Valid starting Expires Service principal 23.05.2018 12.28.46 24.05.2018 12.28.43 krbtgt/TESTRELM.TEST@TESTRELM.TEST
So, basically, we need to document that for using FreeRADIUS with IPA in FIPS mode on the same IPA master, one needs to allow FreeRADIUS to use MD5 algorithm via following configuration sequence: [root@master ~]# mkdir /etc/systemd/system/radiusd.service.d/ ... [root@master ~]# cat /etc/systemd/system/radiusd.service.d/ipa-otp.conf # /etc/systemd/system/radiusd.service.d/ipa-otp.conf [Service] Environment=OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW=1 [root@master ~]# systemctl daemon-reload [root@master ~]# systemctl start radiusd Also, RADIUS proxy requires use of a common secret between the client and the server to wrap credentials. This secret must be specified in the configuration of the RADIUS proxy in IPA.
Moving back to IPA. I added a known issue doc note and would like to get comment 10 added as a section in the official documentation. Setting need info for Filip.
I am moving this BZ to a documentation bug as it does not require any work on the dev side but only a doc update.
Unlinking upstream ticket.