2178298 – Make ticket signature optional during PAC verification [rhel-9]

Bug 2178298 - Make ticket signature optional during PAC verification [rhel-9]

Summary: Make ticket signature optional during PAC verification [rhel-9]

Keywords:
Status:	VERIFIED
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	krb5
Sub Component:
Version:	9.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Julien Rische
QA Contact:	Michal Polovka
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2181311 2211388
TreeView+	depends on / blocked

Reported:	2023-03-14 18:42 UTC by Julien Rische
Modified:	2023-08-16 12:58 UTC (History)
CC List:	2 users (show)
Fixed In Version:	krb5-1.21.1-1.el9
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	2181311 2211388 (view as bug list)
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	krb5 krb5 pull 1295	None	open	Allow to set PAC ticket signature as optional	2023-03-17 16:20:37 UTC
Red Hat Issue Tracker	FREEIPA-9562	None	None	None	2023-03-14 18:42:55 UTC
Red Hat Issue Tracker	RHELPLAN-151830	None	None	None	2023-03-14 18:42:59 UTC

Description Julien Rische 2023-03-14 18:42:08 UTC

As a response to the Kerberos Bronze Bit vulnerability (CVE-2020-17049), Microsoft added a "ticket signature" buffer to the PAC[1]. The presence of this signature is not required for AD to accept the PAC[2]. However, the MIT krb5 implementation[3] in 1.20.1 requires it to be present[4] in case the target is a service principal when the KDC verifies a S4U2Proxy TGS-REQ.

This is an issue for gradual upgrade. Let's consider this setup:

* "alice" user
* RHEL8 IPA server "rhel8.ipa.test" and RHEL9 "rhel9.ipa.test"
* Server "service1.ipa.test" and server "service2.ipa.test"

Alice want to authenticate to service1.ipa.test. Alice's client is configured to use rhel8.ipa.test as KDC. So she will obtain a alice->HTTP/service1.ipa.test ticket from rhel8.ipa.test without the ticket signature in the PAC.

service1.ipa.test is configured to use rhel9.ipa.test as KDC. service1.ipa.test receives the alice->HTTP/service1.ipa.test ticket from Alice. This service needs to impersonate Alice to authenticate to service2.ipa.test to function. So it sends a S4U2Proxy TGS request for alice->nfs/service2.ipatest using its own TGT and the alice->HTTP/service1.ipa.test ticket.

rhel9.ipa.test receives the S4U2Proxy TGS-REQ, but since it is using MIT krb5 1.20.1, it will try to verify the PAC ticket signature. But since this PAC was generated on RHEL8 with MIT krb5 1.18.2, the ticket signature will be absent. This will cause the TGS-REQ to fail.

This can be reproduced this way:

  # Configure rhel8.ipa.test as KDC in /etc/krb5.conf
  # Pre-authenticate as service1.ipa.test:
  kinit -kt service.keytab HTTP/service1.ipa.test
  # S4U2Self request against rhel8.ipa.test to mimic authentication of alice against service1.ipa.test:
  kvno -I alice HTTP/service1.ipa.test
  # Configure rhel9.ipa.test as KDC in /etc/krb5.conf
  # S4U2Proxy request against rhel9.ipa.test to impersonate alice as service1.ipa.test to service2.ipa.test:
  kvno -I alice -P -S nfs service2.ipa.test

This will result in the following error:

  kvno: KDC returned error string: 2ND_TKT_PAC nfs/service2.ipa.test@: constrained delegation failed

This is caused by the fact the KDC fails to find the ticket signature buffer in the PAC:

  #0  verify_checksum.constprop.0 (context=0x56428d516a60, pac=<optimized out>, buffer_type=16, key=0x7ffc0e0d79a0, data=0x56428d594260, usage=17) at krb/pac.c:534
  #1  0x00007f72928bc3e2 in krb5_kdc_verify_ticket (context=context@entry=0x56428d516a60, enc_tkt=enc_tkt@entry=0x56428d51b840, server_princ=server_princ@entry=0x56428d61af00, server=server@entry=0x56428d594240, privsvr=privsvr@entry=0x7ffc0e0d79a0, pac_out=pac_out@entry=0x7ffc0e0d78f0) at krb/pac.c:707
  #2  0x000056428bcbeb90 in get_verified_pac (pac_out=0x7ffc0e0d78f0, tgt_key=0x7ffc0e0d79a0, tgt=0x56428d6196d0, server_key=0x56428d594240, sprinc=0x56428d61af00, enc_tkt=0x56428d51b840, context=0x56428d516a60) at /usr/src/debug/krb5-1.20.1-8.el9.x86_64/src/kdc/kdc_util.c:548
  #3  get_verified_pac (context=0x56428d516a60, enc_tkt=0x56428d51b840, sprinc=0x56428d61af00, server_key=0x56428d594240, tgt=tgt@entry=0x56428d6196d0, tgt_key=tgt_key@entry=0x7ffc0e0d79a0, pac_out=0x7ffc0e0d78f0) at /usr/src/debug/krb5-1.20.1-8.el9.x86_64/src/kdc/kdc_util.c:530
  #4  0x000056428bcc291b in decrypt_2ndtkt (status=0x7ffc0e0d7930, key_out=<synthetic pointer>, server_out=<synthetic pointer>, pac_out=0x7ffc0e0d78f0, stkt_out=<synthetic pointer>, local_tgt_key=0x7ffc0e0d79a0, local_tgt=0x56428d6196d0, flags=0, req=<optimized out>, kdc_active_realm=0x56428d61ab60) at /usr/src/debug/krb5-1.20.1-8.el9.x86_64/src/kdc/do_tgs_req.c:900
  #5  process_tgs_req (request=<optimized out>, pkt=pkt@entry=0x56428d4e04f0, from=from@entry=0x56428d623e20, kdc_active_realm=kdc_active_realm@entry=0x56428d61ab60, response=response@entry=0x7ffc0e0d7c60) at /usr/src/debug/krb5-1.20.1-8.el9.x86_64/src/kdc/do_tgs_req.c:292
  #6  0x000056428bcc5c5d in dispatch (cb=<optimized out>, local_addr=0x56428d4e04d8, remote_addr=0x56428d623e20, pkt=0x56428d4e04f0, is_tcp=1, vctx=0x56428d4e2a80, respond=0x56428bcca8a0 <process_tcp_response>, arg=0x56428d4e0440) at /usr/src/debug/krb5-1.20.1-8.el9.x86_64/src/kdc/dispatch.c:165
  #7  0x000056428bccaca4 in process_tcp_connection_read (ctx=0x56428d4e2a80, ev=<optimized out>) at ../lib/apputils/net-server.c:1362
  #8  0x00007f72928257fc in verto_fire () from /lib64/libverto.so.1
  #9  0x00007f72815cfd83 in ev_invoke_pending () from /lib64/libev.so.4
  #10 0x00007f72815d3830 in ev_run () from /lib64/libev.so.4
  #11 0x000056428bcb9fa6 in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/krb5-1.20.1-8.el9.x86_64/src/kdc/main.c:1043


[1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/76c10ef5-de76-44bf-b208-0d8750fc2edd
[2] https://i.blackhat.com/EU-22/Thursday-Briefings/EU-22-Tervoort-Breaking-Kerberos-RC4-Cipher-and-Spoofing-Windows-PACs-wp.pdf
    Page 6, 1st paragraph
[3] https://github.com/krb5/krb5/pull/1225
[4] https://github.com/krb5/krb5/blob/krb5-1.20.1-final/src/lib/krb5/krb/pac.c#L690

Comment 1 Julien Rische 2023-03-17 16:20:38 UTC

Upstream pull request:
https://github.com/krb5/krb5/pull/1295

Comment 4 Florence Blanc-Renaud 2023-05-24 11:23:02 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/9cd5f49c74f28dbe070b072b394747a039cef463
https://pagure.io/freeipa/c/3f1b373cb2028416e40a26e3dd99b0f4c82525c7
https://pagure.io/freeipa/c/545a363dd2f7f551fa3ec3fed66c80b30ae3c1e1

Comment 8 Florence Blanc-Renaud 2023-06-01 06:11:59 UTC

Fixed upstream
ipa-4-10:
https://pagure.io/freeipa/c/630cda5c06428825dd5604493621b9cbdab70073
https://pagure.io/freeipa/c/bbe545ff9feb972e549c743025e4a26b14ef8f89
https://pagure.io/freeipa/c/7ea3b86696f5451f1d227d365018ab7dc53024af

Comment 9 Florence Blanc-Renaud 2023-06-01 13:33:04 UTC

Moving back to assigned, the mentioned commits are related to IPA. The krb5 part is not done yet.

Note You need to log in before you can comment on or make changes to this bug.