Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems

Mon, 11 Jul 2022 05:47:00 -0700 

reply inline

On 7/11/2022 4:30 AM, Stephan Wonczak ([email protected]) wrote:

Hi Jeffrey,
  Thanks for having a look at the problem.
  However, I obviously did not do a very good job detailing exactly what we did ... so here's my next try. Warning: It is going to be lengthy :-) 


  First off: We do not use SSSD. And we would like to keep it that 
way, since it caused various massive problems in the past.



  On RHEL-7, everything works perfectly. We are using the 
RedHat-supplied RPM of pam_krb5: pam_krb5-2.4.8-6.el7.x86_64



The version of pam_krb5 is not the only variable that matters. As I 
mentioned in my earlier replies pam_krb5-2.4.8-6.el7 does not include 
support for rxkad-kdf which is required in order to make use of Kerberos 
encryption types other than des-cbc-crc for example 
aes256-cts-hmac-sha1-96.   Without that functonality pam_krb5 only works 
with Kerberos v5 service tickets whose session keys are des-cbc-crc.



<working output from rhel7 removed>



We then took the source PRM: pam_krb5-2.4.8-6.el7.src.rpm and did a 
rebuild on a RHEL-8-Machine. This worked without any errors.

  However, when we try to use this to get a token, this happens:

...

Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: error obtaining credentials for 
'afs/[email protected]' (enctype=1) on behalf of 
'[email protected]': No credentials found with supported 
encryption types
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: error obtaining credentials for 
'afs/[email protected]' (enctype=2) on behalf of 
'[email protected]': No credentials found with supported 
encryption types
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: error obtaining credentials for 
'afs/[email protected]' (enctype=3) on behalf of 
'[email protected]': No credentials found with supported 
encryption types
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: attempting to obtain tokens for "rrz.uni-koeln.de" 
("[email protected]")
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: error obtaining credentials for 
'[email protected]' (enctype=1) on behalf of 
'[email protected]': No credentials found with supported 
encryption types
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: error obtaining credentials for 
'[email protected]' (enctype=2) on behalf of 
'[email protected]': No credentials found with supported 
encryption types
Jul  8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: 
pam_krb5[2204130]: error obtaining credentials for 
'[email protected]' (enctype=3) on behalf of 
'[email protected]': No credentials found with supported 
encryption types

...


   ETYPE_DES_CBC_CRC(1)
   ETYPE_DES_CBC_MD4(2)
   ETYPE_DES_CBC_MD5(3)


The pam_krb5 from rhel7 only knows how to request tickets with DES 
encryption types.  It assumes that OpenAFS cannot support anything else 
because it does not have the rxkad-kdf functionality that was added to 
pam_krb5 post-rhel7 (Jan 4, 2016):


https://github.com/frozencemetery/pam_krb5/commit/3be27655bf9d2520e776ef22ba6bb9486005fff1


To reiterate: We get both kerberos ticket and AFS-Token on RHEL-7. On 
RHEL-8, we still get a valid kerberos ticket, but getting the 
AFS-Token fails. It -is- possible, however, to get a valid AFS-Token 
by klog.krb5. So -in principle- everything is in place to have this 
done by pam_afs.
  The problem is: I have no way to determine why it is complaining 
about "no supported encryption types" when other tools have no 
problems at all!



The answer to this is simple.  The krb5 libraries included in rhel7 
support DES encryption types.   The krb5 libraries included with rhel8 
do not.   As a result, a pam_krb5 that supports rxkad-kdf is required.





  Additional infO. Yes, we did rekey our AFS-cell quite a while ago, 
and our afs-Principal has two keys:


kadmin.local:  getprinc afs/rrz.uni-koeln.de
Principal: afs/[email protected]
<snip>
Anzahl der Schlüssel: 2
Key: vno 5, aes256-cts-hmac-sha1-96
Key: vno 4, des-cbc-crc
MKey: vno 1
Attribute: REQUIRES_PRE_AUTH
Richtlinie: [keins]


I hope the vno 4 des-cbc-crc key is not present on any of the 
rrz.uni-koeln.de servers.   If it is, the servers are still vulnerable to



  OPENAFS-SA-2013-003 - Brute force DES attack permits compromise of 
AFS cell

  http://www.openafs.org/pages/security/#OPENAFS-SA-2013-003



Like I said before, I looked at the sources of our version of 
pam_krb5, and the part where it is failing starts at line 775 inside 
the function "minikafs_5log_with_principal" (I'll attach the 
minikafs.c to this mail for reference)


This version of minikafs.c does not support rxkad-kdf.




  If you or anyone else has any ideas how to tackle the problem, any 
help would be greatly appreciated.



Deploy a version of pam_krb5 which contains the required rxkad-kdf 
functionality.   The version from rhel7 cannot be used successfully with 
the MIT Kerberos included with RHEL8 and later releases.


Jeffrey Altman





Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature






















					Reply via email to