2068458 – Allow libkrad to process TCP/IP requests on localhost in FIPS mode [rhel-9.1]

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2068458 - Allow libkrad to process TCP/IP requests on localhost in FIPS mode [rhel-9.1]

Summary: Allow libkrad to process TCP/IP requests on localhost in FIPS mode [rhel-9.1]

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	krb5
Sub Component:
Version:	9.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Julien Rische
QA Contact:	Filip Dvorak
Docs Contact:
URL:
Whiteboard:
Depends On:	2083699
Blocks:	2082189
TreeView+	depends on / blocked

Reported:	2022-03-25 11:28 UTC by Filip Dvorak
Modified:	2022-11-15 12:53 UTC (History)
CC List:	8 users (show)
Fixed In Version:	krb5-1.19.1-20.el9
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	2082189 (view as bug list)
Environment:
Last Closed:	2022-11-15 11:11:42 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-8075	None	None	None	2022-03-25 11:39:41 UTC
Red Hat Issue Tracker	RHELPLAN-116822	None	None	None	2022-03-25 11:39:45 UTC
Red Hat Product Errata	RHBA-2022:8271	None	None	None	2022-11-15 11:12:15 UTC

Description Filip Dvorak 2022-03-25 11:28:46 UTC

Description of problem:
IPA installed on RHEL9.0 with FIPS mode enabled fails to authenticate a user using RADIUS(OTP). The same scenario works in FIPS mode disabled.

Version-Release number of selected component (if applicable):
ipa-server-4.9.8-7.el9_0.x86_64
krb5-server-1.19.1-15.el9_0.x86_64
openssl-3.0.1-20.el9_0.x86_64
RHEL-9.0.0-20220322.0

How reproducible:
Always

Environment setup
=================
fips-mode-setup --enable
reboot
hostnamectl set-hostname master.test.ipa
dnf install -y ipa-server-dns
ipa-server-install -a Secret123 -p Secret123 --setup-dns --auto-forwarders -n test.ipa -U -r TEST.IPA
dnf install -y freeradius freeradius-ldap freeradius-utils
- generate certificates via bootstrap script (/etc/raddb/certs/)
Note: there is a workaround for creating certificates due to BZ#2069224 in FIPS
     - delete "if" statement in bootstrap script to skip "make all" command
     - add "-nodes" option into openssl rew -new command
     - run bootstrap (/etc/raddb/certs/boostrap) script to create certificates

- Create the /etc/krb5.conf.d/krad file with the following content:
  [libdefaults] 
  radius_md5_fips_override = true

systemctl daemon-reload
systemctl restart radiusd krb5kdc

Test setup
==========
echo Secret123 | kinit admin
echo SecretPrePassword1 | ipa user-add --first tuser --last tuser tuser --password
printf "SecretPrePassword1\nSecretUser1\nSecretUser1\n" | kinit tuser
echo Secret123 | kinit admin
printf "testing123\ntesting123\n" | ipa radiusproxy-add tproxy --server=127.0.0.1
ipa user-mod tuser --user-auth-type=radius --radius=tproxy
echo "tuser Cleartext-Password := "Secret123456"" > /etc/raddb/users
systemctl restart radiusd

Test
====
# kdestroy -A
# echo Secret123 | kinit admin
# echo Secret123456 | kinit -T KCM:0 tuser
Enter OTP Token Value:
kinit: Preauthentication failed while getting initial credentials

Actual results:
User not authenticated

Expected results:
User is authenticated

Additional info:

krb5 debug
================
# echo Secret123456 | kinit -T KCM:0 tuser
[14834] 1648207293.223777: Matching tuser in collection with result: -1765328243/Can't find client principal tuser in cache collection
[14834] 1648207293.223778: Resolving unique ccache of type KCM
[14834] 1648207293.223779: Getting initial credentials for tuser
[14834] 1648207293.223780: FAST armor ccache: KCM:0
[14834] 1648207293.223781: Retrieving admin -> krb5_ccache_conf_data/fast_avail/krbtgt\/TEST.IPA\@TEST.IPA@X-CACHECONF: from KCM:0 with result: 0/Success
[14834] 1648207293.223782: Read config in KCM:0 for krbtgt/TEST.IPA: fast_avail: yes
[14834] 1648207293.223783: Using FAST due to armor ccache negotiation result
[14834] 1648207293.223784: Getting credentials admin -> krbtgt/TEST.IPA using ccache KCM:0
[14834] 1648207293.223785: Retrieving admin -> krb5_ccache_conf_data/start_realm@X-CACHECONF: from KCM:0 with result: -1765328243/Matching credential not found
[14834] 1648207293.223786: Retrieving admin -> krbtgt/TEST.IPA from KCM:0 with result: 0/Success
[14834] 1648207293.223787: Armor ccache sesion key: aes256-sha2/549D
[14834] 1648207293.223789: Creating authenticator for admin -> krbtgt/TEST.IPA, seqnum 0, subkey aes256-sha2/50CC, session key aes256-sha2/549D
[14834] 1648207293.223791: FAST armor key: aes256-sha2/9410
[14834] 1648207293.223793: Sending unauthenticated request
[14834] 1648207293.223794: Encoding request body and padata into FAST request
[14834] 1648207293.223795: Sending request (1837 bytes) to TEST.IPA
[14834] 1648207293.223796: Initiating TCP connection to stream 10.0.137.200:88
[14834] 1648207293.223797: Sending TCP request to stream 10.0.137.200:88
[14834] 1648207293.223798: Received answer (573 bytes) from stream 10.0.137.200:88
[14834] 1648207293.223799: Terminating TCP connection to stream 10.0.137.200:88
[14834] 1648207293.223800: Response was from primary KDC
[14834] 1648207293.223801: Received error from KDC: -1765328359/Additional pre-authentication required
[14834] 1648207293.223802: Decoding FAST response
[14834] 1648207293.223805: Preauthenticating using KDC method data
[14834] 1648207293.223806: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-PKINIT-KX (147), PA-OTP-CHALLENGE (141), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133), PA-FX-ERROR (137)
[14834] 1648207293.223807: Received cookie: MIT
[14834] 1648207293.223808: PKINIT client has no configured identity; giving up
[14834] 1648207293.223809: Preauth module pkinit (147) (info) returned: 0/Success
[14834] 1648207293.223810: PKINIT client received freshness token from KDC
[14834] 1648207293.223811: Preauth module pkinit (150) (info) returned: 0/Success
[14834] 1648207293.223812: PKINIT client has no configured identity; giving up
[14834] 1648207293.223813: Preauth module pkinit (16) (real) returned: 22/Invalid argument
Enter OTP Token Value: 
[14834] 1648207293.223814: Preauth module otp (141) (real) returned: 0/Success
[14834] 1648207293.223815: Produced preauth for next request: PA-FX-COOKIE (133), PA-OTP-REQUEST (142)
[14834] 1648207293.223816: Encoding request body and padata into FAST request
[14834] 1648207293.223817: Sending request (1988 bytes) to TEST.IPA
[14834] 1648207293.223818: Initiating TCP connection to stream 10.0.137.200:88
[14834] 1648207293.223819: Sending TCP request to stream 10.0.137.200:88
[14834] 1648207293.223820: Received answer (573 bytes) from stream 10.0.137.200:88
[14834] 1648207293.223821: Terminating TCP connection to stream 10.0.137.200:88
[14834] 1648207293.223822: Response was from primary KDC
[14834] 1648207293.223823: Received error from KDC: -1765328360/Preauthentication failed
[14834] 1648207293.223824: Decoding FAST response
kinit: Preauthentication failed while getting initial credentials

krb5 logs
===========
Mar 25 07:21:33 master.test.ipa krb5kdc[12882](info): AS_REQ (2 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19)}) 10.0.137.200: NEEDED_PREAUTH: tuser for krbtgt/TEST.IPA, Additional pre-authentication required
Mar 25 07:21:33 master.test.ipa krb5kdc[12882](info): closing down fd 4
Mar 25 07:21:33 master.test.ipa krb5kdc[12882](info): preauth (otp) verify failure: Generic preauthentication failure
Mar 25 07:21:33 master.test.ipa krb5kdc[12882](info): AS_REQ (2 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19)}) 10.0.137.200: PREAUTH_FAILED: tuser for krbtgt/TEST.IPA, Preauthentication failed
Mar 25 07:21:33 master.test.ipa krb5kdc[12882](info): closing down fd 4


For more information on configuring FreeRADIUS authentication in FIPS mode, see link:https://access.redhat.com/solutions/4650511[How to configure FreeRADIUS authentication in FIPS mode].

Comment 1 Julien Rische 2022-03-30 15:09:32 UTC

The problem seems to not be coming from krb5, but from ipa-otpd:

tuser: request received
tuser: user query start
tuser: user query end: uid=tuser,cn=users,cn=accounts,dc=test,dc=ipa
tuser: radius query start: cn=tproxy,cn=radiusproxy,dc=test,dc=ipa
tuser: radius query end: 127.0.0.1
tuser: forward start: tuser / 127.0.0.1
tuser: forward end: Socket type not supported
tuser: response sent: Access-Reject

The LDAP queries that ipa-otpd sends to 389ds are completed successfully and present in the logs. The issue probably is the "Socket type not supported" error against FreeRadius. radisud is running but does not receive any request (no logs, even with the -X debugging option).

Comment 3 Simo Sorce 2022-04-19 12:54:40 UTC

FIPS does not care what the transport is, as long as you are not sending secrets in the clear over the network.
127.* is the same as a Unix socket in this regard, assuming some form of authentication to avoid interception by an untrusted process trying to squat on the receiver end.
The OS guarantees in terms of restricting which process can intercept a third party process communications on the same OS are fine, just like for Unix Sockets.

Comment 5 Alexander Bokovoy 2022-04-20 06:00:52 UTC

Thank you, Simo.

So, we would treat localhost-based FreeRADIUS the same as UNIX domain socket in FIPS mode.

Comment 9 Julien Rische 2022-05-10 10:05:27 UTC

I prepared a fix[1] for allowing TCP/IP connections, and another one[2] for an issue related to MD5. However, the same issue is happening on the FreeRadius side: 

The current MD4/5 code[3] for FreeRadius is relying on the "EVP_MD_CTX_FLAG_NON_FIPS_ALLOW" flag to bypass FIPS limitations, but it doesn't work any more[4]. A standalone OpenSSL context loading the "legacy" provider for MD4 and the "default" one for MD5 is now the only way to use MD4/5 on a FIPS-enabled system.

[1] https://gitlab.com/jrisc/centos_rpms_krb5/-/commit/b948596f5e7bb722da6abe167e2b29af252d79d5
[2] https://gitlab.com/jrisc/centos_rpms_krb5/-/commit/fd651c1cb210d62740f192e2f74f8e75ba562cee
[3] https://gitlab.com/redhat/centos-stream/rpms/freeradius/-/blob/c9s/freeradius-Backport-OpenSSL3-fixes.patch#L483
[4] https://github.com/openssl/openssl/blob/cac250755efd0c40cc6127a0e4baceb8d226c7e3/include/openssl/evp.h#L208

Comment 13 Julien Rische 2022-05-10 17:30:52 UTC

Pull request:
https://gitlab.com/redhat/centos-stream/rpms/krb5/-/merge_requests/18

Comment 15 Julien Rische 2022-05-25 08:08:53 UTC

The fix on FreeRadius side has been merged by Antonio[1], we can proceed on our side.

[1] https://gitlab.com/redhat/centos-stream/rpms/freeradius/-/merge_requests/22

Comment 25 errata-xmlrpc 2022-11-15 11:11:42 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (krb5 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8271

Note You need to log in before you can comment on or make changes to this bug.