RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2178298 - Make ticket signature optional during PAC verification [rhel-9]
Summary: Make ticket signature optional during PAC verification [rhel-9]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: krb5
Version: 9.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Julien Rische
QA Contact: Michal Polovka
Filip Hanzelka
URL:
Whiteboard:
Depends On:
Blocks: 2181311 2211388
TreeView+ depends on / blocked
 
Reported: 2023-03-14 18:42 UTC by Julien Rische
Modified: 2023-12-08 16:42 UTC (History)
3 users (show)

Fixed In Version: krb5-1.21.1-1.el9
Doc Type: Enhancement
Doc Text:
.The `optional_pac_tkt_chksum` option helps preserve interoperability between different versions of `krb5` You can now use the `optional_pac_tkt_chksum` option to preserve the interoperability between RHEL Kerberos Distribution Center (KDC) servers running different versions of the `krb5` package. Specifically, you can change their behavior regarding Privilege Attribute Certificate (PAC) ticket signature verification. If you set the `optional_pac_tkt_chksum` string attribute to `true` for the Kerberos principal expected to sign a ticket, then the KDC does not reject service for user (S4U) requests containing a ticket that lacks the PAC ticket signature. The principal to sign the ticket is the ticket-granting service (TGS) one or a cross-realm TGS one, depending on the realm of the ticket's target service. Since the `krb5-1.20` release, MIT Kerberos KDCs have required the presence of ticket signatures in PACs based on the encrypted part of Kerberos tickets so that they could process S4U requests successfully. Previously, this was a problem in gradual upgrade scenarios where certain KDCs used `krb5-1.19` or older, while others used `krb5-1.20` or newer. KDCs using the newer versions of `krb5` for S4U requests rejected service tickets that were provided by KDCs using the older versions of `krb5` if a service used them for S4U requests. For more information about how this feature is used in Identity Management (IdM), see link:https://github.com/freeipa/freeipa/pull/6785#issue-1673265260[this pull request].
Clone Of:
: 2181311 2211388 (view as bug list)
Environment:
Last Closed: 2023-11-07 08:56:13 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github krb5 krb5 pull 1295 0 None open Allow to set PAC ticket signature as optional 2023-03-17 16:20:37 UTC
Red Hat Issue Tracker FREEIPA-9562 0 None None None 2023-03-14 18:42:55 UTC
Red Hat Issue Tracker RHELPLAN-151830 0 None None None 2023-03-14 18:42:59 UTC
Red Hat Product Errata RHSA-2023:6699 0 None None None 2023-11-07 08:56:50 UTC

Description Julien Rische 2023-03-14 18:42:08 UTC 
As a response to the Kerberos Bronze Bit vulnerability (CVE-2020-17049), Microsoft added a "ticket signature" buffer to the PAC[1]. The presence of this signature is not required for AD to accept the PAC[2]. However, the MIT krb5 implementation[3] in 1.20.1 requires it to be present[4] in case the target is a service principal when the KDC verifies a S4U2Proxy TGS-REQ.

This is an issue for gradual upgrade. Let's consider this setup:

* "alice" user
* RHEL8 IPA server "rhel8.ipa.test" and RHEL9 "rhel9.ipa.test"
* Server "service1.ipa.test" and server "service2.ipa.test"

Alice want to authenticate to service1.ipa.test. Alice's client is configured to use rhel8.ipa.test as KDC. So she will obtain a alice->HTTP/service1.ipa.test ticket from rhel8.ipa.test without the ticket signature in the PAC.

service1.ipa.test is configured to use rhel9.ipa.test as KDC. service1.ipa.test receives the alice->HTTP/service1.ipa.test ticket from Alice. This service needs to impersonate Alice to authenticate to service2.ipa.test to function. So it sends a S4U2Proxy TGS request for alice->nfs/service2.ipatest using its own TGT and the alice->HTTP/service1.ipa.test ticket.

rhel9.ipa.test receives the S4U2Proxy TGS-REQ, but since it is using MIT krb5 1.20.1, it will try to verify the PAC ticket signature. But since this PAC was generated on RHEL8 with MIT krb5 1.18.2, the ticket signature will be absent. This will cause the TGS-REQ to fail.

This can be reproduced this way:

  # Configure rhel8.ipa.test as KDC in /etc/krb5.conf
  # Pre-authenticate as service1.ipa.test:
  kinit -kt service.keytab HTTP/service1.ipa.test
  # S4U2Self request against rhel8.ipa.test to mimic authentication of alice against service1.ipa.test:
  kvno -I alice HTTP/service1.ipa.test
  # Configure rhel9.ipa.test as KDC in /etc/krb5.conf
  # S4U2Proxy request against rhel9.ipa.test to impersonate alice as service1.ipa.test to service2.ipa.test:
  kvno -I alice -P -S nfs service2.ipa.test

This will result in the following error:

  kvno: KDC returned error string: 2ND_TKT_PAC nfs/service2.ipa.test@: constrained delegation failed

This is caused by the fact the KDC fails to find the ticket signature buffer in the PAC:

  #0  verify_checksum.constprop.0 (context=0x56428d516a60, pac=<optimized out>, buffer_type=16, key=0x7ffc0e0d79a0, data=0x56428d594260, usage=17) at krb/pac.c:534
  #1  0x00007f72928bc3e2 in krb5_kdc_verify_ticket (context=context@entry=0x56428d516a60, enc_tkt=enc_tkt@entry=0x56428d51b840, server_princ=server_princ@entry=0x56428d61af00, server=server@entry=0x56428d594240, privsvr=privsvr@entry=0x7ffc0e0d79a0, pac_out=pac_out@entry=0x7ffc0e0d78f0) at krb/pac.c:707
  #2  0x000056428bcbeb90 in get_verified_pac (pac_out=0x7ffc0e0d78f0, tgt_key=0x7ffc0e0d79a0, tgt=0x56428d6196d0, server_key=0x56428d594240, sprinc=0x56428d61af00, enc_tkt=0x56428d51b840, context=0x56428d516a60) at /usr/src/debug/krb5-1.20.1-8.el9.x86_64/src/kdc/kdc_util.c:548
  #3  get_verified_pac (context=0x56428d516a60, enc_tkt=0x56428d51b840, sprinc=0x56428d61af00, server_key=0x56428d594240, tgt=tgt@entry=0x56428d6196d0, tgt_key=tgt_key@entry=0x7ffc0e0d79a0, pac_out=0x7ffc0e0d78f0) at /usr/src/debug/krb5-1.20.1-8.el9.x86_64/src/kdc/kdc_util.c:530
  #4  0x000056428bcc291b in decrypt_2ndtkt (status=0x7ffc0e0d7930, key_out=<synthetic pointer>, server_out=<synthetic pointer>, pac_out=0x7ffc0e0d78f0, stkt_out=<synthetic pointer>, local_tgt_key=0x7ffc0e0d79a0, local_tgt=0x56428d6196d0, flags=0, req=<optimized out>, kdc_active_realm=0x56428d61ab60) at /usr/src/debug/krb5-1.20.1-8.el9.x86_64/src/kdc/do_tgs_req.c:900
  #5  process_tgs_req (request=<optimized out>, pkt=pkt@entry=0x56428d4e04f0, from=from@entry=0x56428d623e20, kdc_active_realm=kdc_active_realm@entry=0x56428d61ab60, response=response@entry=0x7ffc0e0d7c60) at /usr/src/debug/krb5-1.20.1-8.el9.x86_64/src/kdc/do_tgs_req.c:292
  #6  0x000056428bcc5c5d in dispatch (cb=<optimized out>, local_addr=0x56428d4e04d8, remote_addr=0x56428d623e20, pkt=0x56428d4e04f0, is_tcp=1, vctx=0x56428d4e2a80, respond=0x56428bcca8a0 <process_tcp_response>, arg=0x56428d4e0440) at /usr/src/debug/krb5-1.20.1-8.el9.x86_64/src/kdc/dispatch.c:165
  #7  0x000056428bccaca4 in process_tcp_connection_read (ctx=0x56428d4e2a80, ev=<optimized out>) at ../lib/apputils/net-server.c:1362
  #8  0x00007f72928257fc in verto_fire () from /lib64/libverto.so.1
  #9  0x00007f72815cfd83 in ev_invoke_pending () from /lib64/libev.so.4
  #10 0x00007f72815d3830 in ev_run () from /lib64/libev.so.4
  #11 0x000056428bcb9fa6 in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/krb5-1.20.1-8.el9.x86_64/src/kdc/main.c:1043


[1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/76c10ef5-de76-44bf-b208-0d8750fc2edd
[2] https://i.blackhat.com/EU-22/Thursday-Briefings/EU-22-Tervoort-Breaking-Kerberos-RC4-Cipher-and-Spoofing-Windows-PACs-wp.pdf
    Page 6, 1st paragraph
[3] https://github.com/krb5/krb5/pull/1225
[4] https://github.com/krb5/krb5/blob/krb5-1.20.1-final/src/lib/krb5/krb/pac.c#L690
Comment 1 Julien Rische 2023-03-17 16:20:38 UTC 
Upstream pull request:
https://github.com/krb5/krb5/pull/1295
Comment 4 Florence Blanc-Renaud 2023-05-24 11:23:02 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/9cd5f49c74f28dbe070b072b394747a039cef463
https://pagure.io/freeipa/c/3f1b373cb2028416e40a26e3dd99b0f4c82525c7
https://pagure.io/freeipa/c/545a363dd2f7f551fa3ec3fed66c80b30ae3c1e1
Comment 8 Florence Blanc-Renaud 2023-06-01 06:11:59 UTC 
Fixed upstream
ipa-4-10:
https://pagure.io/freeipa/c/630cda5c06428825dd5604493621b9cbdab70073
https://pagure.io/freeipa/c/bbe545ff9feb972e549c743025e4a26b14ef8f89
https://pagure.io/freeipa/c/7ea3b86696f5451f1d227d365018ab7dc53024af
Comment 9 Florence Blanc-Renaud 2023-06-01 13:33:04 UTC 
Moving back to assigned, the mentioned commits are related to IPA. The krb5 part is not done yet.
Comment 23 errata-xmlrpc 2023-11-07 08:56:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: krb5 security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:6699
Note You need to log in before you can comment on or make changes to this bug.