#8632 [CA-less] user fails to login via WebUI in case of `--no-pkinit`
Closed: fixed 7 months ago by frenaud. Opened 11 months ago by slev.

In CA-less installations with --no-pkinit option an user cannot login to WebUI.

Apache error log:

[Sat Dec 26 07:42:05.793305 2020] [wsgi:error] [pid 1521:tid 1844] [remote 2001:db8::242:ac11:3:47306] ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/bin/kinit', '-n', '-c', '/run/ipa/ccaches/armor_1521', '-X', 'X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt', '-X', 'X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'] returned non-zero exit status 1: 'kinit: Cannot read password while getting initial credentials\\n')
# KRB5_TRACE=/dev/stderr /usr/bin/kinit -n -c /run/ipa/ccaches/armor_cache -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt 
[3077] 1608984767.685723: Getting initial credentials for WELLKNOWN/ANONYMOUS@IPA.TEST
[3077] 1608984767.685725: Sending unauthenticated request
[3077] 1608984767.685726: Sending request (186 bytes) to IPA.TEST
[3077] 1608984767.685727: Initiating TCP connection to stream 172.17.0.3:88
[3077] 1608984767.685728: Sending TCP request to stream 172.17.0.3:88
[3077] 1608984767.685729: Received answer (529 bytes) from stream 172.17.0.3:88
[3077] 1608984767.685730: Terminating TCP connection to stream 172.17.0.3:88
[3077] 1608984767.685731: Response was from master KDC
[3077] 1608984767.685732: Received error from KDC: -1765328359/Additional pre-authentication required
[3077] 1608984767.685735: Preauthenticating using KDC method data
[3077] 1608984767.685736: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-SPAKE (151), PA-ENC-TIMESTAMP (2), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133)
[3077] 1608984767.685737: Selected etype info: etype aes256-cts, salt "IPA.TESTWELLKNOWNANONYMOUS", params ""
[3077] 1608984767.685738: Received cookie: MIT1\x00\x00\x00\x01\xaa\x17\x8f\xaa\xdc=\xb8\xa6M6\xea\xa8]\xa7Q\xef\xd4\xf6\xd8\xba{\xda\x95\x90\xd0\xdb\xf9\xf9\xb0\x19|\x19\xd3D\x0f\x1d\x9d\xf9H\x14{1>lDIU\x1c\xb3\x84<\x1d\xd6\x03"cuWd\x90\xd4\xc7\x1b\x12Z\xb2\xf1\xcf\x93\xf2\xe2\x97\xa5\x09\x02h\xf2\xb4*wTX\xc6-\xc1\xc7\xc7\xaf|{\xa6z\xf2o\x1f\x03}\xe4\x9cMU\xae{H\xc8\xe9\x8c\x0e?I\xf2\x13Q_\x0b\xcc\x8f\xd3m6\x83b\x9aV\xa8\xaa\x98)\x84\x92
[3077] 1608984767.685739: Preauth module pkinit (147) (info) returned: 0/Success
[3077] 1608984767.685740: PKINIT client received freshness token from KDC
[3077] 1608984767.685741: Preauth module pkinit (150) (info) returned: 0/Success
[3077] 1608984767.685742: PKINIT loading CA certs and CRLs from FILE
[3077] 1608984767.685743: PKINIT loading CA certs and CRLs from FILE
[3077] 1608984767.685744: PKINIT client computed kdc-req-body checksum 9/357AA73021856D3448D547921C11449F1E5CD091
[3077] 1608984767.685746: PKINIT client making DH request
[3077] 1608984768.234036: Preauth module pkinit (16) (real) returned: 0/Success
[3077] 1608984768.234037: Produced preauth for next request: PA-FX-COOKIE (133), PA-PK-AS-REQ (16)
[3077] 1608984768.234038: Sending request (1497 bytes) to IPA.TEST
[3077] 1608984768.234039: Initiating TCP connection to stream 172.17.0.3:88
[3077] 1608984768.234040: Sending TCP request to stream 172.17.0.3:88
[3077] 1608984768.234041: Received answer (1533 bytes) from stream 172.17.0.3:88
[3077] 1608984768.234042: Terminating TCP connection to stream 172.17.0.3:88
[3077] 1608984768.234043: Response was from master KDC
[3077] 1608984768.234044: Processing preauth types: PA-PK-AS-REP (17), PA-PKINIT-KX (147)
[3077] 1608984768.234045: Preauth module pkinit (147) (info) returned: 0/Success
[3077] 1608984768.234046: PKINIT OpenSSL error: Failed to verify received certificate (depth 0): self signed certificate
[3077] 1608984768.234047: PKINIT client could not verify DH reply
[3077] 1608984768.234048: Preauth module pkinit (17) (real) returned: -1765328313/Failed to verify received certificate (depth 0): self signed certificate
[3077] 1608984768.234049: Produced preauth for next request: (empty)
[3077] 1608984768.234050: Getting AS key, salt "IPA.TESTWELLKNOWNANONYMOUS", params ""
Password for WELLKNOWN/ANONYMOUS@IPA.TEST:

The error is PKINIT OpenSSL error: Failed to verify received certificate (depth 0): self signed certificate.

This is caused by https://github.com/openssl/openssl/commit/315c47e00bb953abe8892a3c1272289330b29d23 (openssl 1.1.1i is affected).


Fixed in https://github.com/openssl/openssl/pull/13749
I've backported that for ALTLinux.
Should I open the ticket for Fedora?

Thanks. Flo already opened https://bugzilla.redhat.com/show_bug.cgi?id=1916594 last week and Sahana promised to update Fedora soon.

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

9 months ago

Metadata Update from @frenaud:
- Issue status updated to: Open (was: Closed)

9 months ago

Keeping this issue open until the fix is available in fed32. Then we'll be able to bump our Requires version.

Metadata Update from @frenaud:
- Issue assigned to frenaud

7 months ago

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/5697

7 months ago

master:

ipa-4-9:

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

7 months ago

Login to comment on this ticket.

Metadata