fedora-infrastructure

Clone
Source Code
GIT

#10759 impossible to kinit on RHEL9 with 2FA against FEDORAPROJECT.ORG Realm
Closed: Fixed a year ago by arrfab. Opened 2 years ago by arrfab.

Closed: Fixed
Reopen Issue

New laptop installed with RHEL9, using default values.
Trying to get kerberos ticket and it doesn't work , related to TLS and DH parameters.
See this debug for the first anonymous init (needed for proper pkinit for 2FA) : 

 KRB5_TRACE=/dev/stdout kinit -n @FEDORAPROJECT.ORG -c FILE:armor.ccache
[122054] 1654855391.343485: Getting initial credentials for @FEDORAPROJECT.ORG
[122054] 1654855391.343487: Sending unauthenticated request
[122054] 1654855391.343488: Sending request (217 bytes) to FEDORAPROJECT.ORG
[122054] 1654855391.343489: Resolving hostname id.fedoraproject.org
[122054] 1654855391.343490: TLS certificate name matched "id.fedoraproject.org"
[122054] 1654855391.343491: Sending HTTPS request to https 38.145.60.20:443
[122054] 1654855391.343492: Received answer (347 bytes) from https 38.145.60.20:443
[122054] 1654855391.343493: Terminating TCP connection to https 38.145.60.20:443
[122054] 1654855391.343494: Sending DNS URI query for _kerberos.FEDORAPROJECT.ORG.
[122054] 1654855391.343495: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.fedoraproject.org/KdcProxy/"
[122054] 1654855391.343496: Response was from primary KDC
[122054] 1654855391.343497: Received error from KDC: -1765328359/Additional pre-authentication required
[122054] 1654855391.343500: Preauthenticating using KDC method data
[122054] 1654855391.343501: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133)
[122054] 1654855391.343502: Selected etype info: etype aes256-cts, salt "FEDORAPROJECT.ORGWELLKNOWNANONYMOUS", params ""
[122054] 1654855391.343503: Received cookie: MIT
[122054] 1654855391.343504: Preauth module pkinit (147) (info) returned: 0/Success
[122054] 1654855391.343505: PKINIT client received freshness token from KDC
[122054] 1654855391.343506: Preauth module pkinit (150) (info) returned: 0/Success
[122054] 1654855391.343507: PKINIT loading CA certs and CRLs from FILE
[122054] 1654855391.343508: PKINIT client computed kdc-req-body checksum 9/C1C5A2E5D6AA3CD5CC382A5A63DE2736DFA5C580
[122054] 1654855391.343510: PKINIT client making DH request
[122054] 1654855391.343511: Preauth module pkinit (16) (real) returned: 0/Success
[122054] 1654855391.343512: Produced preauth for next request: PA-FX-COOKIE (133), PA-PK-AS-REQ (16)
[122054] 1654855391.343513: Sending request (1431 bytes) to FEDORAPROJECT.ORG
[122054] 1654855391.343514: Resolving hostname id.fedoraproject.org
[122054] 1654855392.109127: TLS certificate name matched "id.fedoraproject.org"
[122054] 1654855392.109128: Sending HTTPS request to https 38.145.60.21:443
[122054] 1654855392.109129: Received answer (2862 bytes) from https 38.145.60.21:443
[122054] 1654855392.109130: Terminating TCP connection to https 38.145.60.21:443
[122054] 1654855392.109131: Sending DNS URI query for _kerberos.FEDORAPROJECT.ORG.
[122054] 1654855392.109132: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.fedoraproject.org/KdcProxy/"
[122054] 1654855392.109133: Response was from primary KDC
[122054] 1654855392.109134: Processing preauth types: PA-PK-AS-REP (17), PA-PKINIT-KX (147)
[122054] 1654855392.109135: Preauth module pkinit (147) (info) returned: 0/Success
[122054] 1654855392.109136: PKINIT OpenSSL error: Failed to verify CMS message
[122054] 1654855392.109137: PKINIT OpenSSL error: error:1700006B:CMS routines::content type not enveloped data
[122054] 1654855392.109138: PKINIT OpenSSL error: error:03000098:digital envelope routines::invalid digest
[122054] 1654855392.109139: PKINIT client could not verify DH reply
[122054] 1654855392.109140: Preauth module pkinit (17) (real) returned: -1765328320/Failed to verify CMS message: content type not enveloped data
[122054] 1654855392.109141: Produced preauth for next request: (empty)
[122054] 1654855392.109142: Getting AS key, salt "FEDORAPROJECT.ORGWELLKNOWNANONYMOUS", params ""
Password for WELLKNOWN/ANONYMOUS@FEDORAPROJECT.ORG: 
[122054] 1654855617.112663: AS key obtained from gak_fct: aes256-cts/CCC6
kinit: Password incorrect while getting initial credentials

Clearly mentioning PKINIT OpenSSL error: error:03000098:digital envelope routines::invalid digest so I tried just (as temporary workaround) to lower expectations with sudo update-crypto-policies --set LEGACY and then it works : 

KRB5_TRACE=/dev/stdout kinit -n @FEDORAPROJECT.ORG -c FILE:armor.ccache
[123147] 1654855646.666436: Getting initial credentials for @FEDORAPROJECT.ORG
[123147] 1654855646.666438: Sending unauthenticated request
[123147] 1654855646.666439: Sending request (217 bytes) to FEDORAPROJECT.ORG
[123147] 1654855646.666440: Resolving hostname id.fedoraproject.org
[123147] 1654855646.666441: TLS certificate name matched "id.fedoraproject.org"
[123147] 1654855646.666442: Sending HTTPS request to https 38.145.60.20:443
[123147] 1654855647.250507: Received answer (347 bytes) from https 38.145.60.20:443
[123147] 1654855647.250508: Terminating TCP connection to https 38.145.60.20:443
[123147] 1654855647.250509: Sending DNS URI query for _kerberos.FEDORAPROJECT.ORG.
[123147] 1654855647.250510: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.fedoraproject.org/KdcProxy/"
[123147] 1654855647.250511: Response was from primary KDC
[123147] 1654855647.250512: Received error from KDC: -1765328359/Additional pre-authentication required
[123147] 1654855647.250515: Preauthenticating using KDC method data
[123147] 1654855647.250516: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133)
[123147] 1654855647.250517: Selected etype info: etype aes256-cts, salt "FEDORAPROJECT.ORGWELLKNOWNANONYMOUS", params ""
[123147] 1654855647.250518: Received cookie: MIT
[123147] 1654855647.250519: Preauth module pkinit (147) (info) returned: 0/Success
[123147] 1654855647.250520: PKINIT client received freshness token from KDC
[123147] 1654855647.250521: Preauth module pkinit (150) (info) returned: 0/Success
[123147] 1654855647.250522: PKINIT loading CA certs and CRLs from FILE
[123147] 1654855647.250523: PKINIT client computed kdc-req-body checksum 9/630214D642E42382ED1871B62D2F68358F30E457
[123147] 1654855647.250525: PKINIT client making DH request
[123147] 1654855647.250526: Preauth module pkinit (16) (real) returned: 0/Success
[123147] 1654855647.250527: Produced preauth for next request: PA-FX-COOKIE (133), PA-PK-AS-REQ (16)
[123147] 1654855647.250528: Sending request (1430 bytes) to FEDORAPROJECT.ORG
[123147] 1654855647.250529: Resolving hostname id.fedoraproject.org
[123147] 1654855648.176397: TLS certificate name matched "id.fedoraproject.org"
[123147] 1654855648.176398: Sending HTTPS request to https 38.145.60.20:443
[123147] 1654855648.176399: Received answer (2861 bytes) from https 38.145.60.20:443
[123147] 1654855648.176400: Terminating TCP connection to https 38.145.60.20:443
[123147] 1654855648.176401: Sending DNS URI query for _kerberos.FEDORAPROJECT.ORG.
[123147] 1654855648.176402: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.fedoraproject.org/KdcProxy/"
[123147] 1654855648.176403: Response was from primary KDC
[123147] 1654855648.176404: Processing preauth types: PA-PK-AS-REP (17), PA-PKINIT-KX (147)
[123147] 1654855648.176405: Preauth module pkinit (147) (info) returned: 0/Success
[123147] 1654855648.176406: PKINIT client verified DH reply
[123147] 1654855648.176407: PKINIT client found id-pkinit-san in KDC cert: krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG
[123147] 1654855648.176408: PKINIT client matched KDC principal krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG against id-pkinit-san; no EKU check required
[123147] 1654855648.176409: PKINIT client used KDF 2B06010502030602 to compute reply key aes256-cts/680E
[123147] 1654855648.176410: Preauth module pkinit (17) (real) returned: 0/Success
[123147] 1654855648.176411: Produced preauth for next request: (empty)
[123147] 1654855648.176412: AS key determined by preauth: aes256-cts/680E
[123147] 1654855648.176413: Decrypted AS reply; session key is: aes256-cts/D5CF
[123147] 1654855648.176414: FAST negotiation: available
[123147] 1654855648.176415: Initializing FILE:armor.ccache with default princ WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
[123147] 1654855648.176416: Storing config in FILE:armor.ccache for : start_realm: FEDORAPROJECT.ORG
[123147] 1654855648.176417: Storing WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krb5_ccache_conf_data/start_realm@X-CACHECONF: in FILE:armor.ccache
[123147] 1654855648.176418: Storing WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG in FILE:armor.ccache
[123147] 1654855648.176419: Storing config in FILE:armor.ccache for krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG: fast_avail: yes
[123147] 1654855648.176420: Storing WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krb5_ccache_conf_data/fast_avail/krbtgt\/FEDORAPROJECT.ORG\@FEDORAPROJECT.ORG@X-CACHECONF: in FILE:armor.ccache
[123147] 1654855648.176421: Storing config in FILE:armor.ccache for krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG: pa_type: 16
[123147] 1654855648.176422: Storing WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krb5_ccache_conf_data/pa_type/krbtgt\/FEDORAPROJECT.ORG\@FEDORAPROJECT.ORG@X-CACHECONF: in FILE:armor.ccache

Metadata Update from @zlopez:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: authentication, high-gain, medium-trouble
2 years ago

This seems to be https://bugzilla.redhat.com/show_bug.cgi?id=2060798

TLDR: for now use 'update-crypto-policies --set DEFAULT:SHA1' until RHEL8.7 or until we upgrade our IPA servers to 9.

So, I don't think there's much we can do here aside from waiting or moving to 9 for IPA servers.

Metadata Update from @kevin:
- Issue close_status updated to: Upstream
- Issue status updated to: Closed (was: Open)
2 years ago

Let me keep this one open until that's really resolved, so that people (some asked on centos channels about it) can find this ticket

Metadata Update from @arrfab:
- Issue status updated to: Open (was: Closed)
2 years ago

@arrfab The bugzilla ticket seems to be closed, could we close this ticket?

@zlopez : no, as mentioned by @kevin, that will only be possible when IPA itself will have been upgraded to RHEL 8.7, which isn't there (yet) :)
So BZ was closed with the upcoming solution, but not yet available (nor installed on fedora-infra) so reported problem is still there

Our ipa cluster is on 8.7 now. Can someone test if this is fixed?

back to DEFAULT crypto-policy and I get this : 

[4122057] 1668848670.284260: PKINIT OpenSSL error: Failed to verify CMS message
[4122057] 1668848670.284261: PKINIT OpenSSL error: error:1700006B:CMS routines::content type not enveloped data
[4122057] 1668848670.284262: PKINIT OpenSSL error: error:03000098:digital envelope routines::invalid digest
[4122057] 1668848670.284263: PKINIT client could not verify DH reply
[4122057] 1668848670.284264: Preauth module pkinit (17) (real) returned: -1765328320/Failed to verify CMS message: content type not enveloped data

Going back to LEGACY and it's then working again

[4122188] 1668848781.035521: Preauth module pkinit (147) (info) returned: 0/Success
[4122188] 1668848781.035522: PKINIT client verified DH reply
[4122188] 1668848781.035523: PKINIT client found id-pkinit-san in KDC cert: krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG
[4122188] 1668848781.035524: PKINIT client matched KDC principal krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG against id-pkinit-san; no EKU check required

As it's going through KdcPRoxy, is that one also updated (so ensuring all nodes in the path to IPA itself) ?

KdeProxy was updated, but some other things were not. ;(

I applied everything, rebooted and made sure everything was running. :100:
Please try again now?

Seems to be working now : 

[331327] 1669018613.005581: Preauth module pkinit (147) (info) returned: 0/Success
[331327] 1669018613.005582: PKINIT client verified DH reply
[331327] 1669018613.005583: PKINIT client found id-pkinit-san in KDC cert: krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG
[331327] 1669018613.005584: PKINIT client matched KDC principal krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG against id-pkinit-san; no EKU check required
[331327] 1669018613.005585: PKINIT client used KDF 2B06010502030602 to compute reply key aes256-cts/4FAF
[331327] 1669018613.005586: Preauth module pkinit (17) (real) returned: 0/Success

Metadata Update from @arrfab:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)
a year ago

Login to comment on this ticket.

Metadata
None

medium-trouble authentication high-gain

None
None
Waiting on Assignee
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.