Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2068458

Summary: Allow libkrad to process TCP/IP requests on localhost in FIPS mode [rhel-9.1]
Product: Red Hat Enterprise Linux 9 Reporter: Filip Dvorak <fdvorak>
Component: krb5Assignee: Julien Rische <jrische>
Status: CLOSED ERRATA QA Contact: Filip Dvorak <fdvorak>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.0CC: abokovoy, amore, antorres, fdvorak, frenaud, rcritten, ssorce, tscherf
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: krb5-1.19.1-20.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2082189 (view as bug list) Environment:
Last Closed: 2022-11-15 11:11:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2083699    
Bug Blocks: 2082189    

Description Filip Dvorak 2022-03-25 11:28:46 UTC 
Description of problem:
IPA installed on RHEL9.0 with FIPS mode enabled fails to authenticate a user using RADIUS(OTP). The same scenario works in FIPS mode disabled.

Version-Release number of selected component (if applicable):
ipa-server-4.9.8-7.el9_0.x86_64
krb5-server-1.19.1-15.el9_0.x86_64
openssl-3.0.1-20.el9_0.x86_64
RHEL-9.0.0-20220322.0

How reproducible:
Always

Environment setup
=================
fips-mode-setup --enable
reboot
hostnamectl set-hostname master.test.ipa
dnf install -y ipa-server-dns
ipa-server-install -a Secret123 -p Secret123 --setup-dns --auto-forwarders -n test.ipa -U -r TEST.IPA
dnf install -y freeradius freeradius-ldap freeradius-utils
- generate certificates via bootstrap script (/etc/raddb/certs/)
Note: there is a workaround for creating certificates due to BZ#2069224 in FIPS
     - delete "if" statement in bootstrap script to skip "make all" command
     - add "-nodes" option into openssl rew -new command
     - run bootstrap (/etc/raddb/certs/boostrap) script to create certificates

- Create the /etc/krb5.conf.d/krad file with the following content:
  [libdefaults] 
  radius_md5_fips_override = true

systemctl daemon-reload
systemctl restart radiusd krb5kdc

Test setup
==========
echo Secret123 | kinit admin
echo SecretPrePassword1 | ipa user-add --first tuser --last tuser tuser --password
printf "SecretPrePassword1\nSecretUser1\nSecretUser1\n" | kinit tuser
echo Secret123 | kinit admin
printf "testing123\ntesting123\n" | ipa radiusproxy-add tproxy --server=127.0.0.1
ipa user-mod tuser --user-auth-type=radius --radius=tproxy
echo "tuser Cleartext-Password := "Secret123456"" > /etc/raddb/users
systemctl restart radiusd

Test
====
# kdestroy -A
# echo Secret123 | kinit admin
# echo Secret123456 | kinit -T KCM:0 tuser
Enter OTP Token Value:
kinit: Preauthentication failed while getting initial credentials

Actual results:
User not authenticated

Expected results:
User is authenticated

Additional info:

krb5 debug
================
# echo Secret123456 | kinit -T KCM:0 tuser
[14834] 1648207293.223777: Matching tuser in collection with result: -1765328243/Can't find client principal tuser in cache collection
[14834] 1648207293.223778: Resolving unique ccache of type KCM
[14834] 1648207293.223779: Getting initial credentials for tuser
[14834] 1648207293.223780: FAST armor ccache: KCM:0
[14834] 1648207293.223781: Retrieving admin -> krb5_ccache_conf_data/fast_avail/krbtgt\/TEST.IPA\@TEST.IPA@X-CACHECONF: from KCM:0 with result: 0/Success
[14834] 1648207293.223782: Read config in KCM:0 for krbtgt/TEST.IPA: fast_avail: yes
[14834] 1648207293.223783: Using FAST due to armor ccache negotiation result
[14834] 1648207293.223784: Getting credentials admin -> krbtgt/TEST.IPA using ccache KCM:0
[14834] 1648207293.223785: Retrieving admin -> krb5_ccache_conf_data/start_realm@X-CACHECONF: from KCM:0 with result: -1765328243/Matching credential not found
[14834] 1648207293.223786: Retrieving admin -> krbtgt/TEST.IPA from KCM:0 with result: 0/Success
[14834] 1648207293.223787: Armor ccache sesion key: aes256-sha2/549D
[14834] 1648207293.223789: Creating authenticator for admin -> krbtgt/TEST.IPA, seqnum 0, subkey aes256-sha2/50CC, session key aes256-sha2/549D
[14834] 1648207293.223791: FAST armor key: aes256-sha2/9410
[14834] 1648207293.223793: Sending unauthenticated request
[14834] 1648207293.223794: Encoding request body and padata into FAST request
[14834] 1648207293.223795: Sending request (1837 bytes) to TEST.IPA
[14834] 1648207293.223796: Initiating TCP connection to stream 10.0.137.200:88
[14834] 1648207293.223797: Sending TCP request to stream 10.0.137.200:88
[14834] 1648207293.223798: Received answer (573 bytes) from stream 10.0.137.200:88
[14834] 1648207293.223799: Terminating TCP connection to stream 10.0.137.200:88
[14834] 1648207293.223800: Response was from primary KDC
[14834] 1648207293.223801: Received error from KDC: -1765328359/Additional pre-authentication required
[14834] 1648207293.223802: Decoding FAST response
[14834] 1648207293.223805: Preauthenticating using KDC method data
[14834] 1648207293.223806: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-PKINIT-KX (147), PA-OTP-CHALLENGE (141), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133), PA-FX-ERROR (137)
[14834] 1648207293.223807: Received cookie: MIT
[14834] 1648207293.223808: PKINIT client has no configured identity; giving up
[14834] 1648207293.223809: Preauth module pkinit (147) (info) returned: 0/Success
[14834] 1648207293.223810: PKINIT client received freshness token from KDC
[14834] 1648207293.223811: Preauth module pkinit (150) (info) returned: 0/Success
[14834] 1648207293.223812: PKINIT client has no configured identity; giving up
[14834] 1648207293.223813: Preauth module pkinit (16) (real) returned: 22/Invalid argument
Enter OTP Token Value: 
[14834] 1648207293.223814: Preauth module otp (141) (real) returned: 0/Success
[14834] 1648207293.223815: Produced preauth for next request: PA-FX-COOKIE (133), PA-OTP-REQUEST (142)
[14834] 1648207293.223816: Encoding request body and padata into FAST request
[14834] 1648207293.223817: Sending request (1988 bytes) to TEST.IPA
[14834] 1648207293.223818: Initiating TCP connection to stream 10.0.137.200:88
[14834] 1648207293.223819: Sending TCP request to stream 10.0.137.200:88
[14834] 1648207293.223820: Received answer (573 bytes) from stream 10.0.137.200:88
[14834] 1648207293.223821: Terminating TCP connection to stream 10.0.137.200:88
[14834] 1648207293.223822: Response was from primary KDC
[14834] 1648207293.223823: Received error from KDC: -1765328360/Preauthentication failed
[14834] 1648207293.223824: Decoding FAST response
kinit: Preauthentication failed while getting initial credentials

krb5 logs
===========
Mar 25 07:21:33 master.test.ipa krb5kdc[12882](info): AS_REQ (2 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19)}) 10.0.137.200: NEEDED_PREAUTH: tuser for krbtgt/TEST.IPA, Additional pre-authentication required
Mar 25 07:21:33 master.test.ipa krb5kdc[12882](info): closing down fd 4
Mar 25 07:21:33 master.test.ipa krb5kdc[12882](info): preauth (otp) verify failure: Generic preauthentication failure
Mar 25 07:21:33 master.test.ipa krb5kdc[12882](info): AS_REQ (2 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19)}) 10.0.137.200: PREAUTH_FAILED: tuser for krbtgt/TEST.IPA, Preauthentication failed
Mar 25 07:21:33 master.test.ipa krb5kdc[12882](info): closing down fd 4


For more information on configuring FreeRADIUS authentication in FIPS mode, see link:https://access.redhat.com/solutions/4650511[How to configure FreeRADIUS authentication in FIPS mode].
Comment 1 Julien Rische 2022-03-30 15:09:32 UTC 
The problem seems to not be coming from krb5, but from ipa-otpd:

tuser: request received
tuser: user query start
tuser: user query end: uid=tuser,cn=users,cn=accounts,dc=test,dc=ipa
tuser: radius query start: cn=tproxy,cn=radiusproxy,dc=test,dc=ipa
tuser: radius query end: 127.0.0.1
tuser: forward start: tuser / 127.0.0.1
tuser: forward end: Socket type not supported
tuser: response sent: Access-Reject

The LDAP queries that ipa-otpd sends to 389ds are completed successfully and present in the logs. The issue probably is the "Socket type not supported" error against FreeRadius. radisud is running but does not receive any request (no logs, even with the -X debugging option).
Comment 3 Simo Sorce 2022-04-19 12:54:40 UTC 
FIPS does not care what the transport is, as long as you are not sending secrets in the clear over the network.
127.* is the same as a Unix socket in this regard, assuming some form of authentication to avoid interception by an untrusted process trying to squat on the receiver end.
The OS guarantees in terms of restricting which process can intercept a third party process communications on the same OS are fine, just like for Unix Sockets.
Comment 5 Alexander Bokovoy 2022-04-20 06:00:52 UTC 
Thank you, Simo.

So, we would treat localhost-based FreeRADIUS the same as UNIX domain socket in FIPS mode.
Comment 9 Julien Rische 2022-05-10 10:05:27 UTC 
I prepared a fix[1] for allowing TCP/IP connections, and another one[2] for an issue related to MD5. However, the same issue is happening on the FreeRadius side: 

The current MD4/5 code[3] for FreeRadius is relying on the "EVP_MD_CTX_FLAG_NON_FIPS_ALLOW" flag to bypass FIPS limitations, but it doesn't work any more[4]. A standalone OpenSSL context loading the "legacy" provider for MD4 and the "default" one for MD5 is now the only way to use MD4/5 on a FIPS-enabled system.

[1] https://gitlab.com/jrisc/centos_rpms_krb5/-/commit/b948596f5e7bb722da6abe167e2b29af252d79d5
[2] https://gitlab.com/jrisc/centos_rpms_krb5/-/commit/fd651c1cb210d62740f192e2f74f8e75ba562cee
[3] https://gitlab.com/redhat/centos-stream/rpms/freeradius/-/blob/c9s/freeradius-Backport-OpenSSL3-fixes.patch#L483
[4] https://github.com/openssl/openssl/blob/cac250755efd0c40cc6127a0e4baceb8d226c7e3/include/openssl/evp.h#L208
Comment 13 Julien Rische 2022-05-10 17:30:52 UTC 
Pull request:
https://gitlab.com/redhat/centos-stream/rpms/krb5/-/merge_requests/18
Comment 15 Julien Rische 2022-05-25 08:08:53 UTC 
The fix on FreeRadius side has been merged by Antonio[1], we can proceed on our side.

[1] https://gitlab.com/redhat/centos-stream/rpms/freeradius/-/merge_requests/22
Comment 25 errata-xmlrpc 2022-11-15 11:11:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (krb5 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8271