Bug 1571754 - kinit failing for radius user when FIPS mode is enabled
Summary: kinit failing for radius user when FIPS mode is enabled
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: doc-Linux_Domain_Identity_Management_Guide
Version: 7.5
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: Marc Muehlfeld
QA Contact: ipa-qe
URL:
Whiteboard:
Keywords: Documentation
Depends On:
Blocks: 1559484
TreeView+ depends on / blocked
 
Reported: 2018-04-25 11:17 UTC by Mohammad Rizwan
Modified: 2019-04-09 10:31 UTC (History)
14 users (show)

(edit)
RADIUS proxy functionality is now also available in IdM running in FIPS mode 

In FIPS mode, OpenSSL disables the use of the MD5 digest algorithm by default. Consequently, because the RADIUS protocol requires MD5 to encrypt a secret between the RADIUS client and the RADIUS server, the unavailability of MD5 in FIPS mode causes the RHEL Identity Management (IdM) RADIUS proxy server to fail. 

If the RADIUS server is running on the same host as the IdM master, you can work around the problem and enable MD5 within the secure perimeter. 

To do that, create a file /etc/systemd/system/radiusd.service.d/ipa-otp.conf with the following content: 

    # /etc/systemd/system/radiusd.service.d/ipa-otp.conf 
    [Service] 
    Environment=OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW=1 

To apply the change, reload the *systemd* configuration: 

   # systemctl daemon-reload 

and start the *radiusd* service: 

   # systemctl start radiusd 

The configuration of the RADIUS proxy requires the use of a common secret between the client and the server to wrap credentials. Specify this secret in the configuration of the RADIUS proxy in RHEL IdM using the command line interface (CLI) or web UI. To do it in the CLI:

   # ipa radiusproxy-add name_of_your_proxy_server --secret your_secret
Clone Of:
(edit)
Last Closed: 2019-04-09 10:31:54 UTC


Attachments (Terms of Use)

Description Mohammad Rizwan 2018-04-25 11:17:33 UTC
Description of problem:
kinit failing for radius user when FIPS mode is enabled

Version-Release number of selected component (if applicable):
ipa-server-4.5.4-10.el7_5.1.x86_64

How reproducible:
always

Steps to Reproduce:
1) yum install freeradius freeradius-ldap freeradius-utils

2) add ipa user
    $ ipa user-add --first None --last None radiususer --passwd

3) add radiusproxy
   $ ipa radiusproxy-add radiusproxy01 --server=127.0.0.1

4) modify radius user
   $ kinit admin
   $ ipa user-mod --user-auth-type=radius radiususer
   $ ipa user-mod --radius=radiusproxy01

5) add following user entry to /etc/raddb/users
   radiususer  Cleartext-Password := "Secret123"

6) start radisud
   $ systemctl start radiusd

7) try login
   $ kdestroy -A
   $ kswitch -c KEYRING:persistent:0:0
   $ kinit admin
   $ kinit -T KEYRING:persistent:0:0 radiususer

Actual results:
kinit: Preauthentication failed while getting initial credentials

Expected results:
kinit pass

Comment 2 Rob Crittenden 2018-05-18 20:15:32 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/7551

Comment 3 Robbie Harwood 2018-05-21 16:25:36 UTC
Do we have a test setup for this?  Would help to identify which component needs fixed.

Comment 4 Mohammad Rizwan 2018-05-22 06:01:21 UTC
Hi Robbie,

I don't have setup at the moment. I'll spin one and provide machine details.

Comment 6 Robbie Harwood 2018-05-23 15:05:20 UTC
Thanks Mohammad.

It appears that radiusd dying to SIGABRT causes the kinit failure.  Here's a traceback:

(gdb) bt
#0  0x00007fd37e774207 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007fd37e7758f8 in __GI_abort () at abort.c:90
#2  0x00007fd37ff2b98f in OpenSSLDie (file=file@entry=0x7fd38006dcd3 "md5_dgst.c", line=line@entry=82, 
    assertion=assertion@entry=0x7fd38006dcb0 "Digest MD5 forbidden in FIPS mode!") at cryptlib.c:1002
#3  0x00007fd37ff32209 in MD5_Init (c=c@entry=0x7fd3775578c0) at md5_dgst.c:82
#4  0x00007fd3805491bc in rad_pwdecode (
    passwd=passwd@entry=0x7fd377557a90 "\277!\211\020\324i\017m\215\346\v\352\037\375", <incomplete sequence \347>, pwlen=pwlen@entry=16, secret=secret@entry=0x557522ecbb80 "testing123", 
    vector=vector@entry=0x557522f94fa8 "\241\201\005[(\224\206^\200P\313\066\024\202Q!\241\201\005[")
    at src/lib/radius.c:4466
#5  0x00007fd38054a60a in data2vp (ctx=ctx@entry=0x557522f94f60, packet=packet@entry=0x557522f94f60, 
    original=original@entry=0x0, secret=secret@entry=0x557522ecbb80 "testing123", da=0x557522cf1940, 
    start=start@entry=0x557522f9509e "\277!\211\020\324i\017m\215\346\v\352\037\375", <incomplete sequence \347>, attrlen=16, packetlen=16, pvp=pvp@entry=0x7fd377557c78) at src/lib/radius.c:3721
#6  0x00007fd38054af5d in rad_attr2vp (ctx=ctx@entry=0x557522f94f60, 
    packet=packet@entry=0x557522f94f60, original=original@entry=0x0, 
    secret=secret@entry=0x557522ecbb80 "testing123", 
    data=data@entry=0x557522f9509c "\002\022\277!\211\020\324i\017m\215\346\v\352\037\375", <incomplete sequence \347>, length=length@entry=18, pvp=pvp@entry=0x7fd377557c78) at src/lib/radius.c:4144
#7  0x00007fd38054cf8f in rad_decode (packet=0x557522f94f60, original=0x0, 
    secret=0x557522ecbb80 "testing123") at src/lib/radius.c:4309
#8  0x0000557521c21868 in request_pre_handler (action=1, request=0x557522f95110)
    at src/main/process.c:1236
#9  request_running (request=0x557522f95110, action=<optimized out>) at src/main/process.c:1523
#10 0x0000557521c1a7bc in request_handler_thread (arg=0x557522f86790) at src/main/threads.c:698
#11 0x00007fd37ef8fdd5 in start_thread (arg=0x7fd377558700) at pthread_create.c:308
#12 0x00007fd37e83cb3d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113
(gdb) 

This looks like an openssl assertion.  In MD5_Init (#3), it's checking for FIPS mode and then dying.  Right at that line, there appears to be an env var OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW that is also checked, but I can't actually find any docs on it.  Probably best to check with openssl developers.

Comment 7 Alexander Bokovoy 2018-05-23 16:15:18 UTC
This environmental variable is described in https://bugzilla.redhat.com/show_bug.cgi?id=673071

Comment 8 Alexander Bokovoy 2018-05-23 16:24:56 UTC
I guess one possibility to avoid code modification is to add this variable to the systemd unit for radiusd.

I did that on the test system and while radiusd didn't fail, it rejected the request.

# /etc/systemd/system/radiusd.service.d/ipa-otp.conf
[Service]
Environment=OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW=1

[root@master ~]# systemctl daemon-reload
[root@master ~]# systemctl start radiusd

[root@master ~]# kinit -n
[root@master ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_dfgnkl1
Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS

Valid starting       Expires              Service principal
23.05.2018 12.20.36  24.05.2018 12.20.36  krbtgt/TESTRELM.TEST@TESTRELM.TEST
[root@master ~]# kinit -T KEYRING:persistent:0:krb_ccache_dfgnkl1 radiususer
Enter OTP Token Value: 
kinit: Preauthentication failed while getting initial credentials
[root@master ~]# journalctl -f
-- Logs begin at ti 2018-05-22 06:42:11 EDT. --
touko 23 12:19:27 master.testrelm.test polkitd[1016]: Unregistered Authentication Agent for unix-process:13506:10663663 (system bus name :1.296, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
touko 23 12:20:01 master.testrelm.test systemd[1]: Started Session 95 of user root.
touko 23 12:20:01 master.testrelm.test systemd[1]: Starting Session 95 of user root.
touko 23 12:20:01 master.testrelm.test CROND[13529]: (root) CMD (test -f /var/lock/subsys/ods-enforcerd && kill -s SIGHUP `cat /var/run/opendnssec/enforcerd.pid` > /dev/null 2> /dev/null)
touko 23 12:21:03 master.testrelm.test ipa-otpd[13070]: radiususer@TESTRELM.TEST: request received
touko 23 12:21:03 master.testrelm.test ipa-otpd[13070]: radiususer@TESTRELM.TEST: user query start
touko 23 12:21:03 master.testrelm.test ipa-otpd[13070]: radiususer@TESTRELM.TEST: user query end: uid=radiususer,cn=users,cn=accounts,dc=testrelm,dc=test
touko 23 12:21:03 master.testrelm.test ipa-otpd[13070]: radiususer@TESTRELM.TEST: radius query start: cn=radiusproxy01,cn=radiusproxy,dc=testrelm,dc=test
touko 23 12:21:03 master.testrelm.test ipa-otpd[13070]: radiususer@TESTRELM.TEST: radius query end: 127.0.0.1
touko 23 12:21:03 master.testrelm.test ipa-otpd[13070]: radiususer@TESTRELM.TEST: forward start: radiususer / 127.0.0.1
touko 23 12:21:18 master.testrelm.test ipa-otpd[13070]: radiususer@TESTRELM.TEST: forward end: Connection timed out
touko 23 12:21:18 master.testrelm.test ipa-otpd[13070]: radiususer@TESTRELM.TEST: response sent: Access-Reject
^C

Comment 9 Alexander Bokovoy 2018-05-23 16:29:54 UTC
Ok, this was misconfiguration on the radiusproxy side:

[root@master ~]# ipa radiusproxy-mod radiusproxy01 --secret
Secret: 
Enter Secret again to verify: 
--------------------------------------------
Modified RADIUS proxy server "radiusproxy01"
--------------------------------------------
  RADIUS proxy server name: radiusproxy01
  Server: 127.0.0.1
  Secret: SOME-SECRET-AS-DEFINED-in-clients.conf
[root@master ~]# kinit -T KEYRING:persistent:0:krb_ccache_dfgnkl1 radiususer
Enter OTP Token Value: 
[root@master ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_5sMKPvE
Default principal: radiususer@TESTRELM.TEST

Valid starting       Expires              Service principal
23.05.2018 12.28.46  24.05.2018 12.28.43  krbtgt/TESTRELM.TEST@TESTRELM.TEST

Comment 10 Alexander Bokovoy 2018-05-23 16:32:39 UTC
So, basically, we need to document that for using FreeRADIUS with IPA in FIPS mode on the same IPA master, one needs to allow FreeRADIUS to use MD5 algorithm via following configuration sequence:

[root@master ~]# mkdir /etc/systemd/system/radiusd.service.d/
...
[root@master ~]# cat /etc/systemd/system/radiusd.service.d/ipa-otp.conf

# /etc/systemd/system/radiusd.service.d/ipa-otp.conf
[Service]
Environment=OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW=1

[root@master ~]# systemctl daemon-reload
[root@master ~]# systemctl start radiusd

Also, RADIUS proxy requires use of a common secret between the client and the server to wrap credentials. This secret must be specified in the configuration of the RADIUS proxy in IPA.

Comment 11 Alexander Bokovoy 2018-05-24 07:41:02 UTC
Moving back to IPA. I added a known issue doc note and would like to get comment 10 added as a section in the official documentation. Setting need info for Filip.

Comment 14 Florence Blanc-Renaud 2018-05-31 14:24:52 UTC
I am moving this BZ to a documentation bug as it does not require any work on the dev side but only a doc update.

Comment 15 Rob Crittenden 2018-07-27 19:05:54 UTC
Unlinking upstream ticket.

Comment 28 Marc Muehlfeld 2019-04-09 10:31:54 UTC
The update is now available on the Customer Portal.


Note You need to log in before you can comment on or make changes to this bug.