RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1776910 - It is possible to add new user into krb5 db via kadmin with supported_encypes=rc4-hmac in FIPS mode
Summary: It is possible to add new user into krb5 db via kadmin with supported_encypes...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: krb5
Version: 8.2
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: rc
: 8.0
Assignee: Robbie Harwood
QA Contact: Filip Dvorak
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-11-26 14:54 UTC by Filip Dvorak
Modified: 2019-11-27 08:10 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-26 18:03:21 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Filip Dvorak 2019-11-26 14:54:51 UTC 
Description of problem:
It is possible to add a new user into krb5 db via kadmin although there is an option "supported_enctypes = arcfour-hmac:normal" in kdc.conf file and FIPS mode is enabled.
In my opinion, it should not be possible to do it because rc4 enctype is not FIPS compliance. 

Version-Release number of selected component (if applicable):
RHEL-8.2.0-20191120.0
krb5-1.17-17.el8.x86_64
openssl-1.1.1c-8.el8.x86_64

How reproducible:
always

Steps to Reproduce:
FIPS is enabled
export krb5REALM='TEST.COM'
export krb5HostName=`hostname`
export krb5DomainName=`hostname -d`
export krb5conf="/etc/krb5.conf"
export krb5confdir="/etc/krb5.conf.d"
export krb5kdcconf="/var/kerberos/krb5kdc/kdc.conf"
export krb5kadmacl="/var/kerberos/krb5kdc/kadm5.acl"

1. sed -i "s/\[libdefaults\]/[libdefaults]\n default_realm = $krb5REALM/" $krb5conf
2. sed -i "s/\[realms\]/[realms]\n $krb5REALM = {\n  kdc = $krb5HostName\n  admin_server = $krb5HostName\n }/" $krb5conf
3. sed -i "s/\[domain_realm\]/[domain_realm]\n .$krb5DomainName = $krb5REALM\n $krb5DomainName = $krb5REALM/" $krb5conf
4. sed -i s/EXAMPLE.COM/$krb5REALM/ $krb5kdcconf
5. sed -i s/EXAMPLE.COM/$krb5REALM/ $krb5kadmacl
6. restorecon -Rv $krb5conf /var/kerberos/krb5kdc
7. kdb5_util create -s -P password
8. sed -i 's/supported_enctypes.*/supported_enctypes = arcfour-hmac:normal/' $krb5kdcconf"
9. systemctl start kadmin; systemctl start krb5kdc
10.kadmin.local -q "addprinc -pw $krb5RootPass root/admin"
11. kadmin.local -q "addprinc -pw bob bob"

Actual results:
[root]# kadmin.local -q "ank -pw bob bob"
Authenticating as principal root/admin with password.
WARNING: no policy specified for bob; defaulting to no policy
Principal "bob" created.

[root]# kadmin.local -q "getprinc bob"
Authenticating as principal root/admin with password.
Principal: bob
Expiration date: [never]
Last password change: Tue Nov 26 09:08:36 EST 2019
Password expiration date: [never]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Tue Nov 26 09:08:36 EST 2019 (root/admin)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 1, DEPRECATED:arcfour-hmac
MKey: vno 1
Attributes:
Policy: [none]

Expected results:
[root]# kadmin.local -q "ank -pw bob bob"
Authenticating as principal root/admin.COM with password.
WARNING: no policy specified for bob.COM; defaulting to no policy
add_principal: Cryptosystem internal error while creating "bob.COM".

Additional info:
/etc/krb5.conf
includedir /etc/krb5.conf.d/

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = TEST.COM
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
    spake_preauth_groups = edwards25519
    default_ccache_name = KEYRING:persistent:%{uid}
[realm]
---snipped---

kdc.conf
[kdcdefaults]
    kdc_ports = 88
    kdc_tcp_ports = 88
    spake_preauth_kdc_challenge = edwards25519

[realms]
TEST.COM = {
     acl_file = /var/kerberos/krb5kdc/kadm5.acl
     dict_file = /usr/share/dict/words
     admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
     supported_enctypes = arcfour-hmac:normal
}


Symlink to crypto-policies was removed.
TC#574624: /CoreOS/krb5/Sanity/sanity-test-of-cipher-suites
Comment 1 Robbie Harwood 2019-11-26 18:03:21 UTC 
First, thanks for your diligence in testing; I do appreciate that.

Unfortunately this is a requirement from samba (CCing Alexander).  Samba needs to use the rc4 keys in order to perform trust operations.  Samba assures me this is okay under FIPS because the rc4 usage is always tunneled under some stronger encryption.  From a krb5 perspective, it's possible to *create* the keys, but it's not possible to *use* them.  (If you can actually negotiate rc4, we have a bigger problem.)

So I'm not happy about it either, but closing notabug since this is actually intentional.
Comment 2 Alexander Bokovoy 2019-11-26 18:18:34 UTC 
That's correct.

Filip, can you please expand your test case to make sure an attempt to use the key is made and fails in FIPS mode?
Comment 3 Filip Dvorak 2019-11-27 08:10:22 UTC 
@Robbie: Thanks. It is necessary to test it thoroughly because you don't make any mistakes :)

@Alexander: I checked it and it not possible to use rc4 keys. It is possible to add a user into a krb5 db via kadmin but kinit with this user finished with an unclear error below.
I will modify to test to verify that it is not possible to use this rc4 key.

------------
#kadmin.local -q "getprinc bob"
Authenticating as principal root/admin.COM with password.
Principal: bob.COM
Expiration date: [never]
Last password change: Wed Nov 27 03:04:20 EST 2019
Password expiration date: [never]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Wed Nov 27 03:04:20 EST 2019 (root/admin.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 1, DEPRECATED:arcfour-hmac
MKey: vno 1
Attributes:
Policy: [none]

#kinit bob
kinit: Generic error (see e-text) while getting initial credentials
Note You need to log in before you can comment on or make changes to this bug.