+++ This bug was initially created as a clone of Bug #2178298 +++ As a response to the Kerberos Bronze Bit vulnerability (CVE-2020-17049), Microsoft added a "ticket signature" buffer to the PAC[1]. The presence of this signature is not required for AD to accept the PAC[2]. However, the MIT krb5 implementation[3] in 1.20.1 requires it to be present[4] in case the target is a service principal when the KDC verifies a S4U2Proxy TGS-REQ. This is an issue for gradual upgrade. Let's consider this setup: * "alice" user * RHEL8 IPA server "rhel8.ipa.test" and RHEL9 "rhel9.ipa.test" * Server "service1.ipa.test" and server "service2.ipa.test" Alice want to authenticate to service1.ipa.test. Alice's client is configured to use rhel8.ipa.test as KDC. So she will obtain a alice->HTTP/service1.ipa.test ticket from rhel8.ipa.test without the ticket signature in the PAC. service1.ipa.test is configured to use rhel9.ipa.test as KDC. service1.ipa.test receives the alice->HTTP/service1.ipa.test ticket from Alice. This service needs to impersonate Alice to authenticate to service2.ipa.test to function. So it sends a S4U2Proxy TGS request for alice->nfs/service2.ipatest using its own TGT and the alice->HTTP/service1.ipa.test ticket. rhel9.ipa.test receives the S4U2Proxy TGS-REQ, but since it is using MIT krb5 1.20.1, it will try to verify the PAC ticket signature. But since this PAC was generated on RHEL8 with MIT krb5 1.18.2, the ticket signature will be absent. This will cause the TGS-REQ to fail. This can be reproduced this way: # Configure rhel8.ipa.test as KDC in /etc/krb5.conf # Pre-authenticate as service1.ipa.test: kinit -kt service.keytab HTTP/service1.ipa.test # S4U2Self request against rhel8.ipa.test to mimic authentication of alice against service1.ipa.test: kvno -I alice HTTP/service1.ipa.test # Configure rhel9.ipa.test as KDC in /etc/krb5.conf # S4U2Proxy request against rhel9.ipa.test to impersonate alice as service1.ipa.test to service2.ipa.test: kvno -I alice -P -S nfs service2.ipa.test This will result in the following error: kvno: KDC returned error string: 2ND_TKT_PAC nfs/service2.ipa.test@: constrained delegation failed This is caused by the fact the KDC fails to find the ticket signature buffer in the PAC: #0 verify_checksum.constprop.0 (context=0x56428d516a60, pac=<optimized out>, buffer_type=16, key=0x7ffc0e0d79a0, data=0x56428d594260, usage=17) at krb/pac.c:534 #1 0x00007f72928bc3e2 in krb5_kdc_verify_ticket (context=context@entry=0x56428d516a60, enc_tkt=enc_tkt@entry=0x56428d51b840, server_princ=server_princ@entry=0x56428d61af00, server=server@entry=0x56428d594240, privsvr=privsvr@entry=0x7ffc0e0d79a0, pac_out=pac_out@entry=0x7ffc0e0d78f0) at krb/pac.c:707 #2 0x000056428bcbeb90 in get_verified_pac (pac_out=0x7ffc0e0d78f0, tgt_key=0x7ffc0e0d79a0, tgt=0x56428d6196d0, server_key=0x56428d594240, sprinc=0x56428d61af00, enc_tkt=0x56428d51b840, context=0x56428d516a60) at /usr/src/debug/krb5-1.20.1-8.el9.x86_64/src/kdc/kdc_util.c:548 #3 get_verified_pac (context=0x56428d516a60, enc_tkt=0x56428d51b840, sprinc=0x56428d61af00, server_key=0x56428d594240, tgt=tgt@entry=0x56428d6196d0, tgt_key=tgt_key@entry=0x7ffc0e0d79a0, pac_out=0x7ffc0e0d78f0) at /usr/src/debug/krb5-1.20.1-8.el9.x86_64/src/kdc/kdc_util.c:530 #4 0x000056428bcc291b in decrypt_2ndtkt (status=0x7ffc0e0d7930, key_out=<synthetic pointer>, server_out=<synthetic pointer>, pac_out=0x7ffc0e0d78f0, stkt_out=<synthetic pointer>, local_tgt_key=0x7ffc0e0d79a0, local_tgt=0x56428d6196d0, flags=0, req=<optimized out>, kdc_active_realm=0x56428d61ab60) at /usr/src/debug/krb5-1.20.1-8.el9.x86_64/src/kdc/do_tgs_req.c:900 #5 process_tgs_req (request=<optimized out>, pkt=pkt@entry=0x56428d4e04f0, from=from@entry=0x56428d623e20, kdc_active_realm=kdc_active_realm@entry=0x56428d61ab60, response=response@entry=0x7ffc0e0d7c60) at /usr/src/debug/krb5-1.20.1-8.el9.x86_64/src/kdc/do_tgs_req.c:292 #6 0x000056428bcc5c5d in dispatch (cb=<optimized out>, local_addr=0x56428d4e04d8, remote_addr=0x56428d623e20, pkt=0x56428d4e04f0, is_tcp=1, vctx=0x56428d4e2a80, respond=0x56428bcca8a0 <process_tcp_response>, arg=0x56428d4e0440) at /usr/src/debug/krb5-1.20.1-8.el9.x86_64/src/kdc/dispatch.c:165 #7 0x000056428bccaca4 in process_tcp_connection_read (ctx=0x56428d4e2a80, ev=<optimized out>) at ../lib/apputils/net-server.c:1362 #8 0x00007f72928257fc in verto_fire () from /lib64/libverto.so.1 #9 0x00007f72815cfd83 in ev_invoke_pending () from /lib64/libev.so.4 #10 0x00007f72815d3830 in ev_run () from /lib64/libev.so.4 #11 0x000056428bcb9fa6 in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/krb5-1.20.1-8.el9.x86_64/src/kdc/main.c:1043 [1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/76c10ef5-de76-44bf-b208-0d8750fc2edd [2] https://i.blackhat.com/EU-22/Thursday-Briefings/EU-22-Tervoort-Breaking-Kerberos-RC4-Cipher-and-Spoofing-Windows-PACs-wp.pdf Page 6, 1st paragraph [3] https://github.com/krb5/krb5/pull/1225 [4] https://github.com/krb5/krb5/blob/krb5-1.20.1-final/src/lib/krb5/krb/pac.c#L690 --- Additional comment from Julien Rische on 2023-03-17 16:20:38 UTC --- Upstream pull request: https://github.com/krb5/krb5/pull/1295
Fedora pull request: https://src.fedoraproject.org/rpms/krb5/pull-request/36
FEDORA-2023-5cd7789569 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-5cd7789569
FEDORA-2023-5cd7789569 has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2023-f7841e7a29 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-f7841e7a29
FEDORA-2023-f7841e7a29 has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report.