2082189 – Allow libkrad to process TCP/IP requests on localhost in FIPS mode [fedora-rawhide]

Bug 2082189 - Allow libkrad to process TCP/IP requests on localhost in FIPS mode [fedora-rawhide]

Summary: Allow libkrad to process TCP/IP requests on localhost in FIPS mode [fedora-ra...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	krb5
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Julien Rische
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:	2068458
Blocks:
TreeView+	depends on / blocked

Reported:	2022-05-05 14:44 UTC by Julien Rische
Modified:	2022-07-02 01:19 UTC (History)
CC List:	13 users (show)
Fixed In Version:	krb5-1.19.2-11.fc37 krb5-1.19.2-11.fc36 krb5-1.19.2-8.fc35
Clone Of:	2068458
Environment:
Last Closed:	2022-06-16 06:19:34 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-8220	0	None	None	None	2022-05-05 14:53:21 UTC

Description Julien Rische 2022-05-05 14:44:49 UTC

+++ This bug was initially created as a clone of Bug #2068458 +++

Description of problem:
IPA installed on RHEL9.0 with FIPS mode enabled fails to authenticate a user using RADIUS(OTP). The same scenario works in FIPS mode disabled.

Version-Release number of selected component (if applicable):
ipa-server-4.9.8-7.el9_0.x86_64
krb5-server-1.19.1-15.el9_0.x86_64
openssl-3.0.1-20.el9_0.x86_64
RHEL-9.0.0-20220322.0

How reproducible:
Always

Environment setup
=================
fips-mode-setup --enable
reboot
hostnamectl set-hostname master.test.ipa
dnf install -y ipa-server-dns
ipa-server-install -a Secret123 -p Secret123 --setup-dns --auto-forwarders -n test.ipa -U -r TEST.IPA
dnf install -y freeradius freeradius-ldap freeradius-utils
- generate certificates via bootstrap script (/etc/raddb/certs/)
Note: there is a workaround for creating certificates due to BZ#2069224 in FIPS
     - delete "if" statement in bootstrap script to skip "make all" command
     - add "-nodes" option into openssl rew -new command
     - run bootstrap (/etc/raddb/certs/boostrap) script to create certificates

- Create the /etc/krb5.conf.d/krad file with the following content:
  [libdefaults] 
  radius_md5_fips_override = true

systemctl daemon-reload
systemctl restart radiusd krb5kdc

Test setup
==========
echo Secret123 | kinit admin
echo SecretPrePassword1 | ipa user-add --first tuser --last tuser tuser --password
printf "SecretPrePassword1\nSecretUser1\nSecretUser1\n" | kinit tuser
echo Secret123 | kinit admin
printf "testing123\ntesting123\n" | ipa radiusproxy-add tproxy --server=127.0.0.1
ipa user-mod tuser --user-auth-type=radius --radius=tproxy
echo "tuser Cleartext-Password := "Secret123456"" > /etc/raddb/users
systemctl restart radiusd

Test
====
# kdestroy -A
# echo Secret123 | kinit admin
# echo Secret123456 | kinit -T KCM:0 tuser
Enter OTP Token Value:
kinit: Preauthentication failed while getting initial credentials

Actual results:
User not authenticated

Expected results:
User is authenticated

Additional info:

krb5 debug
================
# echo Secret123456 | kinit -T KCM:0 tuser
[14834] 1648207293.223777: Matching tuser in collection with result: -1765328243/Can't find client principal tuser in cache collection
[14834] 1648207293.223778: Resolving unique ccache of type KCM
[14834] 1648207293.223779: Getting initial credentials for tuser
[14834] 1648207293.223780: FAST armor ccache: KCM:0
[14834] 1648207293.223781: Retrieving admin -> krb5_ccache_conf_data/fast_avail/krbtgt\/TEST.IPA\@TEST.IPA@X-CACHECONF: from KCM:0 with result: 0/Success
[14834] 1648207293.223782: Read config in KCM:0 for krbtgt/TEST.IPA: fast_avail: yes
[14834] 1648207293.223783: Using FAST due to armor ccache negotiation result
[14834] 1648207293.223784: Getting credentials admin -> krbtgt/TEST.IPA using ccache KCM:0
[14834] 1648207293.223785: Retrieving admin -> krb5_ccache_conf_data/start_realm@X-CACHECONF: from KCM:0 with result: -1765328243/Matching credential not found
[14834] 1648207293.223786: Retrieving admin -> krbtgt/TEST.IPA from KCM:0 with result: 0/Success
[14834] 1648207293.223787: Armor ccache sesion key: aes256-sha2/549D
[14834] 1648207293.223789: Creating authenticator for admin -> krbtgt/TEST.IPA, seqnum 0, subkey aes256-sha2/50CC, session key aes256-sha2/549D
[14834] 1648207293.223791: FAST armor key: aes256-sha2/9410
[14834] 1648207293.223793: Sending unauthenticated request
[14834] 1648207293.223794: Encoding request body and padata into FAST request
[14834] 1648207293.223795: Sending request (1837 bytes) to TEST.IPA
[14834] 1648207293.223796: Initiating TCP connection to stream 10.0.137.200:88
[14834] 1648207293.223797: Sending TCP request to stream 10.0.137.200:88
[14834] 1648207293.223798: Received answer (573 bytes) from stream 10.0.137.200:88
[14834] 1648207293.223799: Terminating TCP connection to stream 10.0.137.200:88
[14834] 1648207293.223800: Response was from primary KDC
[14834] 1648207293.223801: Received error from KDC: -1765328359/Additional pre-authentication required
[14834] 1648207293.223802: Decoding FAST response
[14834] 1648207293.223805: Preauthenticating using KDC method data
[14834] 1648207293.223806: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-PKINIT-KX (147), PA-OTP-CHALLENGE (141), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133), PA-FX-ERROR (137)
[14834] 1648207293.223807: Received cookie: MIT
[14834] 1648207293.223808: PKINIT client has no configured identity; giving up
[14834] 1648207293.223809: Preauth module pkinit (147) (info) returned: 0/Success
[14834] 1648207293.223810: PKINIT client received freshness token from KDC
[14834] 1648207293.223811: Preauth module pkinit (150) (info) returned: 0/Success
[14834] 1648207293.223812: PKINIT client has no configured identity; giving up
[14834] 1648207293.223813: Preauth module pkinit (16) (real) returned: 22/Invalid argument
Enter OTP Token Value: 
[14834] 1648207293.223814: Preauth module otp (141) (real) returned: 0/Success
[14834] 1648207293.223815: Produced preauth for next request: PA-FX-COOKIE (133), PA-OTP-REQUEST (142)
[14834] 1648207293.223816: Encoding request body and padata into FAST request
[14834] 1648207293.223817: Sending request (1988 bytes) to TEST.IPA
[14834] 1648207293.223818: Initiating TCP connection to stream 10.0.137.200:88
[14834] 1648207293.223819: Sending TCP request to stream 10.0.137.200:88
[14834] 1648207293.223820: Received answer (573 bytes) from stream 10.0.137.200:88
[14834] 1648207293.223821: Terminating TCP connection to stream 10.0.137.200:88
[14834] 1648207293.223822: Response was from primary KDC
[14834] 1648207293.223823: Received error from KDC: -1765328360/Preauthentication failed
[14834] 1648207293.223824: Decoding FAST response
kinit: Preauthentication failed while getting initial credentials

krb5 logs
===========
Mar 25 07:21:33 master.test.ipa krb5kdc[12882](info): AS_REQ (2 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19)}) 10.0.137.200: NEEDED_PREAUTH: tuser for krbtgt/TEST.IPA, Additional pre-authentication required
Mar 25 07:21:33 master.test.ipa krb5kdc[12882](info): closing down fd 4
Mar 25 07:21:33 master.test.ipa krb5kdc[12882](info): preauth (otp) verify failure: Generic preauthentication failure
Mar 25 07:21:33 master.test.ipa krb5kdc[12882](info): AS_REQ (2 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19)}) 10.0.137.200: PREAUTH_FAILED: tuser for krbtgt/TEST.IPA, Preauthentication failed
Mar 25 07:21:33 master.test.ipa krb5kdc[12882](info): closing down fd 4


For more information on configuring FreeRADIUS authentication in FIPS mode, see link:https://access.redhat.com/solutions/4650511[How to configure FreeRADIUS authentication in FIPS mode].

--- Additional comment from Julien Rische on 2022-03-30 15:09:32 UTC ---

The problem seems to not be coming from krb5, but from ipa-otpd:

tuser: request received
tuser: user query start
tuser: user query end: uid=tuser,cn=users,cn=accounts,dc=test,dc=ipa
tuser: radius query start: cn=tproxy,cn=radiusproxy,dc=test,dc=ipa
tuser: radius query end: 127.0.0.1
tuser: forward start: tuser / 127.0.0.1
tuser: forward end: Socket type not supported
tuser: response sent: Access-Reject

The LDAP queries that ipa-otpd sends to 389ds are completed successfully and present in the logs. The issue probably is the "Socket type not supported" error against FreeRadius. radisud is running but does not receive any request (no logs, even with the -X debugging option).

--- Additional comment from Simo Sorce on 2022-04-19 12:54:40 UTC ---

FIPS does not care what the transport is, as long as you are not sending secrets in the clear over the network.
127.* is the same as a Unix socket in this regard, assuming some form of authentication to avoid interception by an untrusted process trying to squat on the receiver end.
The OS guarantees in terms of restricting which process can intercept a third party process communications on the same OS are fine, just like for Unix Sockets.

--- Additional comment from Alexander Bokovoy on 2022-04-20 06:00:52 UTC ---

Thank you, Simo.

So, we would treat localhost-based FreeRADIUS the same as UNIX domain socket in FIPS mode.

Comment 2 Julien Rische 2022-05-10 17:30:10 UTC

Pull request:
https://src.fedoraproject.org/rpms/krb5/pull-request/17

Comment 3 Fedora Update System 2022-06-16 06:17:29 UTC

FEDORA-2022-4ab4a17207 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-4ab4a17207

Comment 4 Fedora Update System 2022-06-16 06:19:34 UTC

FEDORA-2022-4ab4a17207 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 5 Fedora Update System 2022-06-16 06:30:58 UTC

FEDORA-2022-f277d02a73 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-f277d02a73

Comment 6 Fedora Update System 2022-06-16 10:18:56 UTC

FEDORA-2022-0346da878d has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-0346da878d

Comment 7 Fedora Update System 2022-06-17 01:49:08 UTC

FEDORA-2022-0346da878d has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-0346da878d`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-0346da878d

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 8 Fedora Update System 2022-06-17 02:01:52 UTC

FEDORA-2022-f277d02a73 has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-f277d02a73`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-f277d02a73

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 9 Fedora Update System 2022-06-20 00:39:57 UTC

FEDORA-2022-f277d02a73 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 10 Fedora Update System 2022-07-02 01:19:49 UTC

FEDORA-2022-0346da878d has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.