+++ This bug was initially created as a clone of Bug #2187722 +++ Description of problem: PKINIT preauth stopped to work (MIT krb5 KDC do not send a pA-PK-AS-REQ message in KRB5KDC_ERR_PREAUTH_REQUIRED) with the openssl-libs-3.0.7-9.el9_2 and newer in FIPS mode on RHEL9.2. Version-Release number of selected component (if applicable): RHEL9.2 krb5-server-1.20.1-8.el9.x86_64 openssl-libs-3.0.7-12.el9_2.x86_64 How reproducible: always Steps to Reproduce: 1. Set up PKINIT and generate certs (used certificates and generating script were attached) kdc.conf (conf file was attached) - add the pkinit options into kdc.conf pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem,/var/kerberos/krb5kdc/kdckey.pem - supported_enctypes = aes256-cts-hmac-sha384-192:normal aes128-cts-hmac-sha256-128:normal - create user alice with "REQUIRES_PRE_AUTH" attribute krb5.conf (conf file was attached) - add pkinit options into krb.conf pkinit_anchors = FILE:/etc/krb5/cacert.pem pkinit_identities = FILE:/etc/krb5/alice.pem,/etc/krb5/alicekey.pem -fips-mode-setup --enable - update-crypto-policies --set FIPS Actual results: # kinit alice [68340] 1681826975.764972: Matching alice.COM in collection with result: 0/Success [68340] 1681826975.764973: Getting initial credentials for alice.COM [68340] 1681826975.764975: Sending unauthenticated request [68340] 1681826975.764976: Sending request (192 bytes) to TEST.REDHAT.COM [68340] 1681826975.764977: Resolving hostname xx [68340] 1681826975.764978: Sending initial UDP request to dgram xx:88 [68340] 1681826975.764979: Received answer (249 bytes) from dgram xx:88 [68340] 1681826975.764980: Sending DNS URI query for _kerberos.TEST.REDHAT.COM. [68340] 1681826975.764981: No URI records found [68340] 1681826975.764982: Sending DNS SRV query for _kerberos-master._udp.TEST.REDHAT.COM. [68340] 1681826975.764983: Sending DNS SRV query for _kerberos-master._tcp.TEST.REDHAT.COM. [68340] 1681826975.764984: No SRV records found [68340] 1681826975.764985: Response was not from primary KDC [68340] 1681826975.764986: Received error from KDC: -1765328359/Additional pre-authentication required [68340] 1681826975.764989: Preauthenticating using KDC method data [68340] 1681826975.764990: Processing preauth types: PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2), PA-FX-COOKIE (133) [68340] 1681826975.764991: Selected etype info: etype aes256-sha2, salt "TEST.REDHAT.COMalice", params "" [68340] 1681826975.764992: Received cookie: MIT Password for alice.COM: ... Expected results: # kinit alice # klist Ticket cache: KCM:0 Default principal: alice.COM Valid starting Expires Service principal 04/18/23 10:10:40 04/19/23 10:10:40 krbtgt/TEST.REDHAT.COM.COM renew until 04/18/23 10:10:40 Additional info: - the same scenario (the same certificates + settings) passed with openssl-libs-3.0.7-6.el9_2.x86_64 - nonFIPS scenario works --- Additional comment from Julien Rische on 2023-05-23 16:28:18 UTC --- This downstream merge request is fixing the issue on the OpenSSL side by re-enabling DHX key type: https://gitlab.com/redhat/centos-stream/rpms/openssl/-/merge_requests/109 However, it will not be possible to load groups that are not considered well-known by OpenSSL. This is the case of group 2. I opened a krb5 upstream pull requests to allow the PKINIT plugin to be loaded if at least one of groups 2, 14, or 16 is available: https://github.com/krb5/krb5/pull/1303
Fedora pull request: https://src.fedoraproject.org/rpms/krb5/pull-request/36
FEDORA-2023-5cd7789569 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-5cd7789569
FEDORA-2023-5cd7789569 has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2023-f7841e7a29 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-f7841e7a29
FEDORA-2023-f7841e7a29 has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report.