1630361 – PKINIT fails in FIPS mode

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1630361 - PKINIT fails in FIPS mode

Summary: PKINIT fails in FIPS mode

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-09-18 13:02 UTC by Florence Blanc-Renaud
Modified:	2018-10-30 11:01 UTC (History)
CC List:	7 users (show)
Fixed In Version:	ipa-4.6.4-10.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-10-30 11:00:22 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1485217	0	medium	CLOSED	[RFE] Warn or adjust umask if it is too restrictive to break installation	2023-09-07 18:58:17 UTC
Red Hat Product Errata	RHBA-2018:3187	0	None	None	None	2018-10-30 11:01:37 UTC

Internal Links: 1485217

Description Florence Blanc-Renaud 2018-09-18 13:02:16 UTC

This bug is created as a clone of upstream ticket:
https://pagure.io/freeipa/issue/7594

### Issue
CIS hardened images with FIPS 140-2 enabled do not allow Fresh install of FreeIPA 4.5 to work.

#### Steps to Reproduce

This is less about steps to reproduce, and more about what I needed to do to make freeIPA work on a FIPS 140-2 and CIS-1 2.2.0 level harden

The default umask for the following files is too restrictive and causes kinit -n to fail

~~~~
[root@example ]# kinit -n
Password for WELLKNOWN/ANONYMOUS.COM:
~~~~

Kinit was asking for a password instead of trusing the certs

These files in a CIS image are root:root 600, they need to be root:root 644
~~~~
/var/lib/ipa-client/pki/ca-bundle.pem
/etc/pki/ca-trust/source/ipa.p11-kit
~~~~
Once the permissions are fixed, you can kinit -n 

The web server fails to allow you to log in because the permissions are too restrictive on /etc/httpd/alias, the permissions shuold be 755 but CIS changes them to 600

Checking the error logs, the only detail that was returned was this

~~~~
ipa: INFO: 401 Unauthorized: [Errno 13] Permission denied
~~~~

I straced all the apache pids to determine the real error
~~~~
ps auxw | grep -E 'sbin/(apache|httpd)' | awk '{print"-p " $2}' | xargs strace -e trace=write -F -s 100000000
~~~~
When entering the username/password the following segfault is returned.
~~~~
[pid 23361] write(2, "[Thu Jun 21 18:00:54.930103 2018] [:error] [pid 23361] Unable to change directory to /etc/httpd/alias\n", 102) = 102
[pid 23361] write(2, "[Thu Jun 21 18:00:54.930307 2018] [:error] [pid 23361] Does the directory exist and do the permissions allow access?\n", 117) = 117
[pid 23361] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x28} ---
~~~~
Once the permissions were solved on  /etc/httpd/alias there were still issues, the ipaapi proxy was still returning problems.  

The httpd logs still said 
~~~~
ipa: INFO: 401 Unauthorized: [Errno 13] Permission denied
~~~~
but there were no more segfaults or problems, i traced the ipaapi process 

~~~~
ps auxw | grep -E 'ipaapi' | awk '{print"-p " $2}' | xargs strace -e trace=open -F -s 100000000
~~~~

after tracing the ipaapi proxy i found that /etc/ipa/ca.crt were also too restrictive (600), they shuold be 644

~~~~
[pid 25624] open("/etc/ipa/ca.crt", O_RDONLY) = -1 EACCES (Permission denied)
~~~~
After changing the permissions to 644 everything works.

In summary the following changes needed to be made to make FreeIPA work on a CIS hardened machine.
~~~~
chmod 644 /var/lib/ipa-client/pki/ca-bundle.pem
chmod 644 /etc/pki/ca-trust/source/ipa.p11-kit
chmod 755 /etc/httpd/alias/
chmod 644 /etc/ipa/ca.crt
~~~~
#### Actual behavior
kinit -n does not work, and unable to log into the web UI

#### Expected behavior
FreeIPA works with CIS restrictive umask settings

#### Version/Release/Distribution
   $ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server

package freeipa-server is not installed
package freeipa-client is not installed
ipa-server-4.5.4-10.el7.centos.1.x86_64
ipa-client-4.5.4-10.el7.centos.1.x86_64
389-ds-base-1.3.7.5-21.el7_5.x86_64
pki-ca-10.5.1-9.el7.noarch
krb5-server-1.15.1-19.el7.x86_64


#### Additional info:
Any additional information, configuration, data or log snippets that is needed for reproduction or investigation of the issue.

~~~~

logs available in pagure ticket

Comment 2 Florence Blanc-Renaud 2018-09-18 13:04:32 UTC

Fixed upstream
master:

    ba8cbb8 Ensure that public cert and CA bundle are readable
    1434f2a Always make ipa.p11-kit world-readable
    89b2137 Make /etc/httpd/alias world readable & executable
    c2eb0f1 Fix permission of public files in upgrader

ipa-4-6:

    fc63ad8 Ensure that public cert and CA bundle are readable
    9576e3c Always make ipa.p11-kit world-readable
    b76b50d Make /etc/httpd/alias world readable & executable
    8164fba Fix permission of public files in upgrader

Comment 3 Martin Kosek 2018-09-18 13:10:42 UTC

I fixed the title to match the issue being solved here.

As for the umask errors, I assume those rather resolved rather in Bug 1485217.

Comment 5 Nikhil Dehadrai 2018-09-20 12:44:48 UTC

Version:
pki-server-10.5.9-6.el7.noarch
ipa-server-4.6.4-10.el7.x86_64


Verified the bug on the basis of following steps:
1. Setup RHEL 7.6 system in FIPS mode.
2. run command 'umask 077' on this system.
3. Install IPA server in FIPS mode.
4. Check file perfissions related with ipa
5. Check IPA UI login
6. run command 'kinit -n'


Result:
---------
1. After step3, ipa-server installation is successful
2. File permissions are setup correctly.
3. Login to ipa-server UI successful
4. 'kinit -n' command is successful


Console:
=====================


Before install:
---------------
[root@vm-idm-022 ~]# rpm -q ipa-server
ipa-server-4.6.4-10.el7.x86_64
[root@vm-idm-022 ~]# umask 077
[root@vm-idm-022 ~]# ipa-server-install


After install:
-------------
[root@vm-idm-022 ~]# tail -1 /var/log/ipaserver-install.log 
2018-09-20T12:12:11Z INFO The ipa-server-install command was successful

[root@vm-idm-022 ~]# ls -l /var/lib/ipa-client/pki/ca-bundle.pem
-rw-r--r--. 1 root root 1298 Sep 20 17:41 /var/lib/ipa-client/pki/ca-bundle.pem

[root@vm-idm-022 ~]# ls -l /etc/pki/ca-trust/source/ipa.p11-kit
-rw-r--r--. 1 root root 2505 Sep 20 17:41 /etc/pki/ca-trust/source/ipa.p11-kit

[root@vm-idm-022 ~]# ls -ld /etc/httpd/alias/
drwxr-x---. 2 root apache 198 Sep 20 17:39 /etc/httpd/alias/

[root@vm-idm-022 ~]# ls -l /etc/ipa/ca.crt
-rw-r--r--. 1 root root 1298 Sep 20 17:37 /etc/ipa/ca.crt

[root@vm-idm-022 ~]# rpm -q ipa-server
ipa-server-4.6.4-10.el7.x86_64

[root@vm-idm-022 ~]# cat /proc/sys/crypto/fips_enabled
1

[root@vm-idm-022 ~]# Login UI successful


[root@vm-idm-022 ~]# kinit -n
[root@vm-idm-022 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_nRruePb
Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS

Valid starting       Expires              Service principal
09/20/2018 17:48:25  09/21/2018 17:48:24  krbtgt/TESTRELM.TEST
[root@vm-idm-022 ~]#


Also, verified the same on Replica system with similar results.

Thus on the basis of above observations marking the status of bug to 'VERIFIED'

Comment 7 errata-xmlrpc 2018-10-30 11:00:22 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3187

Note You need to log in before you can comment on or make changes to this bug.