[OpenAFS] How to replace pam_krb5 on RHEL 8 systems
Jeffrey E Altman
jaltman@auristor.com
Mon, 11 Jul 2022 08:46:36 -0400
This is a cryptographically signed message in MIME format.
--------------ms000408040309020204090307
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
reply inline
On 7/11/2022 4:30 AM, Stephan Wonczak (a0033@rrz.uni-koeln.de) wrote:
> Hi Jeffrey,
> Thanks for having a look at the problem.
> However, I obviously did not do a very good job detailing exactly
> what we did ... so here's my next try. Warning: It is going to be
> lengthy :-)
>
> First off: We do not use SSSD. And we would like to keep it that
> way, since it caused various massive problems in the past.
>
> On RHEL-7, everything works perfectly. We are using the
> RedHat-supplied RPM of pam_krb5: pam_krb5-2.4.8-6.el7.x86_64
The version of pam_krb5 is not the only variable that matters. As I
mentioned in my earlier replies pam_krb5-2.4.8-6.el7 does not include
support for rxkad-kdf which is required in order to make use of Kerberos
encryption types other than des-cbc-crc for example
aes256-cts-hmac-sha1-96. Without that functonality pam_krb5 only works
with Kerberos v5 service tickets whose session keys are des-cbc-crc.
> <working output from rhel7 removed>
> We then took the source PRM: pam_krb5-2.4.8-6.el7.src.rpm and did a
> rebuild on a RHEL-8-Machine. This worked without any errors.
> However, when we try to use this to get a token, this happens:
>
> ...
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]:
> pam_krb5[2204130]: error obtaining credentials for
> 'afs/rrz.uni-koeln.de@RRZ.UNI-KOELN.DE' (enctype=1) on behalf of
> 'a0537@RRZ.UNI-KOELN.DE': No credentials found with supported
> encryption types
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]:
> pam_krb5[2204130]: error obtaining credentials for
> 'afs/rrz.uni-koeln.de@RRZ.UNI-KOELN.DE' (enctype=2) on behalf of
> 'a0537@RRZ.UNI-KOELN.DE': No credentials found with supported
> encryption types
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]:
> pam_krb5[2204130]: error obtaining credentials for
> 'afs/rrz.uni-koeln.de@RRZ.UNI-KOELN.DE' (enctype=3) on behalf of
> 'a0537@RRZ.UNI-KOELN.DE': No credentials found with supported
> encryption types
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]:
> pam_krb5[2204130]: attempting to obtain tokens for "rrz.uni-koeln.de"
> ("afs@RRZ.UNI-KOELN.DE")
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]:
> pam_krb5[2204130]: error obtaining credentials for
> 'afs@RRZ.UNI-KOELN.DE' (enctype=1) on behalf of
> 'a0537@RRZ.UNI-KOELN.DE': No credentials found with supported
> encryption types
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]:
> pam_krb5[2204130]: error obtaining credentials for
> 'afs@RRZ.UNI-KOELN.DE' (enctype=2) on behalf of
> 'a0537@RRZ.UNI-KOELN.DE': No credentials found with supported
> encryption types
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]:
> pam_krb5[2204130]: error obtaining credentials for
> 'afs@RRZ.UNI-KOELN.DE' (enctype=3) on behalf of
> 'a0537@RRZ.UNI-KOELN.DE': No credentials found with supported
> encryption types
> ...
ETYPE_DES_CBC_CRC(1)
ETYPE_DES_CBC_MD4(2)
ETYPE_DES_CBC_MD5(3)
The pam_krb5 from rhel7 only knows how to request tickets with DES
encryption types. It assumes that OpenAFS cannot support anything else
because it does not have the rxkad-kdf functionality that was added to
pam_krb5 post-rhel7 (Jan 4, 2016):
https://github.com/frozencemetery/pam_krb5/commit/3be27655bf9d2520e776ef22ba6bb9486005fff1
> To reiterate: We get both kerberos ticket and AFS-Token on RHEL-7. On
> RHEL-8, we still get a valid kerberos ticket, but getting the
> AFS-Token fails. It -is- possible, however, to get a valid AFS-Token
> by klog.krb5. So -in principle- everything is in place to have this
> done by pam_afs.
> The problem is: I have no way to determine why it is complaining
> about "no supported encryption types" when other tools have no
> problems at all!
The answer to this is simple. The krb5 libraries included in rhel7
support DES encryption types. The krb5 libraries included with rhel8
do not. As a result, a pam_krb5 that supports rxkad-kdf is required.
>
> Additional infO. Yes, we did rekey our AFS-cell quite a while ago,
> and our afs-Principal has two keys:
>
> kadmin.local: getprinc afs/rrz.uni-koeln.de
> Principal: afs/rrz.uni-koeln.de@RRZ.UNI-KOELN.DE
> <snip>
> Anzahl der Schlüssel: 2
> Key: vno 5, aes256-cts-hmac-sha1-96
> Key: vno 4, des-cbc-crc
> MKey: vno 1
> Attribute: REQUIRES_PRE_AUTH
> Richtlinie: [keins]
>
I hope the vno 4 des-cbc-crc key is not present on any of the
rrz.uni-koeln.de servers. If it is, the servers are still vulnerable to
OPENAFS-SA-2013-003 - Brute force DES attack permits compromise of
AFS cell
http://www.openafs.org/pages/security/#OPENAFS-SA-2013-003
> Like I said before, I looked at the sources of our version of
> pam_krb5, and the part where it is failing starts at line 775 inside
> the function "minikafs_5log_with_principal" (I'll attach the
> minikafs.c to this mail for reference)
This version of minikafs.c does not support rxkad-kdf.
>
> If you or anyone else has any ideas how to tackle the problem, any
> help would be greatly appreciated.
>
Deploy a version of pam_krb5 which contains the required rxkad-kdf
functionality. The version from rhel7 cannot be used successfully with
the MIT Kerberos included with RHEL8 and later releases.
Jeffrey Altman
--------------ms000408040309020204090307
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
DGswggXSMIIEuqADAgECAhBAAW0B1qVVQ32wvx2EXYU6MA0GCSqGSIb3DQEBCwUAMDoxCzAJ
BgNVBAYTAlVTMRIwEAYDVQQKEwlJZGVuVHJ1c3QxFzAVBgNVBAMTDlRydXN0SUQgQ0EgQTEy
MB4XDTE5MDkwNTE0MzE0N1oXDTIyMTEwMTE0MzE0N1owcDEvMC0GCgmSJomT8ixkAQETH0Ew
MTQxMEMwMDAwMDE2RDAxRDZBNTQwMDAwMDQ0NDcxGTAXBgNVBAMTEEplZmZyZXkgRSBBbHRt
YW4xFTATBgNVBAoTDEF1cmlTdG9yIEluYzELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCY1TC9QeWnUgEoJ81FcAVnhGn/AWuzvkYRUG5/ZyXDdaM212e8
ybCklgSmZweqNdrfaaHXk9vwjpvpD4YWgb07nJ1QBwlvRV/VPAaDdneIygJJWBCzaMVLttKO
0VimH/I/HUwFBQT2mrktucCEf2qogdi2P+p5nuhnhIUiyZ71Fo43gF6cuXIMV/1rBNIJDuwM
Q3H8zi6GL0p4mZFZDDKtbYq2l8+MNxFvMrYcLaJqejQNQRBuZVfv0Fq9pOGwNLAk19baIw3U
xdwx+bGpTtS63Py1/57MQ0W/ZXE/Ocnt1qoDLpJeZIuEBKgMcn5/iN9+Ro5zAuOBEKg34wBS
8QCTAgMBAAGjggKcMIICmDAOBgNVHQ8BAf8EBAMCBPAwgYQGCCsGAQUFBwEBBHgwdjAwBggr
BgEFBQcwAYYkaHR0cDovL2NvbW1lcmNpYWwub2NzcC5pZGVudHJ1c3QuY29tMEIGCCsGAQUF
BzAChjZodHRwOi8vdmFsaWRhdGlvbi5pZGVudHJ1c3QuY29tL2NlcnRzL3RydXN0aWRjYWEx
Mi5wN2MwHwYDVR0jBBgwFoAUpHPa72k1inXMoBl7CDL4a4nkQuwwCQYDVR0TBAIwADCCASsG
A1UdIASCASIwggEeMIIBGgYLYIZIAYb5LwAGAgEwggEJMEoGCCsGAQUFBwIBFj5odHRwczov
L3NlY3VyZS5pZGVudHJ1c3QuY29tL2NlcnRpZmljYXRlcy9wb2xpY3kvdHMvaW5kZXguaHRt
bDCBugYIKwYBBQUHAgIwga0MgapUaGlzIFRydXN0SUQgQ2VydGlmaWNhdGUgaGFzIGJlZW4g
aXNzdWVkIGluIGFjY29yZGFuY2Ugd2l0aCBJZGVuVHJ1c3QncyBUcnVzdElEIENlcnRpZmlj
YXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL3NlY3VyZS5pZGVudHJ1c3QuY29tL2NlcnRp
ZmljYXRlcy9wb2xpY3kvdHMvaW5kZXguaHRtbDBFBgNVHR8EPjA8MDqgOKA2hjRodHRwOi8v
dmFsaWRhdGlvbi5pZGVudHJ1c3QuY29tL2NybC90cnVzdGlkY2FhMTIuY3JsMB8GA1UdEQQY
MBaBFGphbHRtYW5AYXVyaXN0b3IuY29tMB0GA1UdDgQWBBR7pHsvL4H5GdzNToI9e5BuzV19
bzAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwDQYJKoZIhvcNAQELBQADggEBAFlm
JYk4Ff1v/n0foZkv661W4LCRtroBaVykOXetrDDOQNK2N6JdTa146uIZVgBeU+S/0DLvJBKY
tkUHQ9ovjXJTsuCBmhIIw3YlHoFxbku0wHEpXMdFUHV3tUodFJJKF3MbC8j7dOMkag59/Mdz
Sjszdvit0av9nTxWs/tRKKtSQQlxtH34TouIke2UgP/Nn901QLOrJYJmtjzVz8DW3IYVxfci
SBHhbhJTdley5cuEzphELo5NR4gFjBNlxH7G57Hno9+EWILpx302FJMwTgodIBJbXLbPMHou
xQbOL2anOTUMKO8oH0QdQHCtC7hpgoQa7UJYJxDBI+PRaQ/HObkwggaRMIIEeaADAgECAhEA
+d5Wf8lNDHdw+WAbUtoVOzANBgkqhkiG9w0BAQsFADBKMQswCQYDVQQGEwJVUzESMBAGA1UE
ChMJSWRlblRydXN0MScwJQYDVQQDEx5JZGVuVHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEw
HhcNMTUwMjE4MjIyNTE5WhcNMjMwMjE4MjIyNTE5WjA6MQswCQYDVQQGEwJVUzESMBAGA1UE
ChMJSWRlblRydXN0MRcwFQYDVQQDEw5UcnVzdElEIENBIEExMjCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBANGRTTzPCic0kq5L6ZrUJWt5LE/n6tbPXPhGt2Egv7plJMoEpvVJ
JDqGqDYymaAsd8Hn9ZMAuKUEFdlx5PgCkfu7jL5zgiMNnAFVD9PyrsuF+poqmlxhlQ06sFY2
hbhQkVVQ00KCNgUzKcBUIvjv04w+fhNPkwGW5M7Ae5K5OGFGwOoRck9GG6MUVKvTNkBw2/vN
MOd29VGVTtR0tjH5PS5yDXss48Yl1P4hDStO2L4wTsW2P37QGD27//XGN8K6amWB6F2XOgff
/PmlQjQOORT95PmLkwwvma5nj0AS0CVp8kv0K2RHV7GonllKpFDMT0CkxMQKwoj+tWEWJTiD
KSsCAwEAAaOCAoAwggJ8MIGJBggrBgEFBQcBAQR9MHswMAYIKwYBBQUHMAGGJGh0dHA6Ly9j
b21tZXJjaWFsLm9jc3AuaWRlbnRydXN0LmNvbTBHBggrBgEFBQcwAoY7aHR0cDovL3ZhbGlk
YXRpb24uaWRlbnRydXN0LmNvbS9yb290cy9jb21tZXJjaWFscm9vdGNhMS5wN2MwHwYDVR0j
BBgwFoAU7UQZwNPwBovupHu+QucmVMiONnYwDwYDVR0TAQH/BAUwAwEB/zCCASAGA1UdIASC
ARcwggETMIIBDwYEVR0gADCCAQUwggEBBggrBgEFBQcCAjCB9DBFFj5odHRwczovL3NlY3Vy
ZS5pZGVudHJ1c3QuY29tL2NlcnRpZmljYXRlcy9wb2xpY3kvdHMvaW5kZXguaHRtbDADAgEB
GoGqVGhpcyBUcnVzdElEIENlcnRpZmljYXRlIGhhcyBiZWVuIGlzc3VlZCBpbiBhY2NvcmRh
bmNlIHdpdGggSWRlblRydXN0J3MgVHJ1c3RJRCBDZXJ0aWZpY2F0ZSBQb2xpY3kgZm91bmQg
YXQgaHR0cHM6Ly9zZWN1cmUuaWRlbnRydXN0LmNvbS9jZXJ0aWZpY2F0ZXMvcG9saWN5L3Rz
L2luZGV4Lmh0bWwwSgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL3ZhbGlkYXRpb24uaWRlbnRy
dXN0LmNvbS9jcmwvY29tbWVyY2lhbHJvb3RjYTEuY3JsMB0GA1UdJQQWMBQGCCsGAQUFBwMC
BggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFKRz2u9pNYp1zKAZewgy+GuJ
5ELsMA0GCSqGSIb3DQEBCwUAA4ICAQAN4YKu0vv062MZfg+xMSNUXYKvHwvZIk+6H1pUmivy
DI4I6A3wWzxlr83ZJm0oGIF6PBsbgKJ/fhyyIzb+vAYFJmyI8I/0mGlc+nIQNuV2XY8cypPo
VJKgpnzp/7cECXkX8R4NyPtEn8KecbNdGBdEaG4a7AkZ3ujlJofZqYdHxN29tZPdDlZ8fR36
/mAFeCEq0wOtOOc0Eyhs29+9MIZYjyxaPoTS+l8xLcuYX3RWlirRyH6RPfeAi5kySOEhG1qu
NHe06QIwpigjyFT6v/vRqoIBr7WpDOSt1VzXPVbSj1PcWBgkwyGKHlQUOuSbHbHcjOD8w8wH
SDbL+L2he8hNN54doy1e1wJHKmnfb0uBAeISoxRbJnMMWvgAlH5FVrQWlgajeH/6NbYbBSRx
ALuEOqEQepmJM6qz4oD2sxdq4GMN5adAdYEswkY/o0bRKyFXTD3mdqeRXce0jYQbWm7oapqS
ZBccFvUgYOrB78tB6c1bxIgaQKRShtWR1zMM0JfqUfD9u8Fg7G5SVO0IG/GcxkSvZeRjhYcb
TfqF2eAgprpyzLWmdr0mou3bv1Sq4OuBhmTQCnqxAXr4yVTRYHkp5lCvRgeJAme1OTVpVPth
/O7HJ7VuEP9GOr6kCXCXmjB4P3UJ2oU0NqfoQdcSSSt9hliALnExTEjii20B2nSDojGCAxQw
ggMQAgEBME4wOjELMAkGA1UEBhMCVVMxEjAQBgNVBAoTCUlkZW5UcnVzdDEXMBUGA1UEAxMO
VHJ1c3RJRCBDQSBBMTICEEABbQHWpVVDfbC/HYRdhTowDQYJYIZIAWUDBAIBBQCgggGXMBgG
CSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIyMDcxMTEyNDYzNlow
LwYJKoZIhvcNAQkEMSIEIF3TjJWKsMgYTcG/bOeCtcefApc7dZsbUtya6cMPE5nCMF0GCSsG
AQQBgjcQBDFQME4wOjELMAkGA1UEBhMCVVMxEjAQBgNVBAoTCUlkZW5UcnVzdDEXMBUGA1UE
AxMOVHJ1c3RJRCBDQSBBMTICEEABbQHWpVVDfbC/HYRdhTowXwYLKoZIhvcNAQkQAgsxUKBO
MDoxCzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJZGVuVHJ1c3QxFzAVBgNVBAMTDlRydXN0SUQg
Q0EgQTEyAhBAAW0B1qVVQ32wvx2EXYU6MGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZIAWUDBAEq
MAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwIC
AUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwDQYJKoZIhvcNAQEBBQAEggEANeXNleMz7Qf+
Vcwm2JaI+YnxGaMSa1lrZirdxE+miTXHQgOr4yAda6YOX89Cx8irdYy6i/v46tAuc42LzgwV
24kWiPHmUsIlI/m50cyyrSfek2NAdtA/un675yyz2KU+GjqSFh6ZY8/hK6dH4P6KXTrW8Szw
Gijo5Z+nojdsM23Ml6JFNPzPyi5TlqH6RML8NOi8jBVePVAZ0Fgf7j8AyCLF25/3OkuPDmgd
2nEXgwswpweZTG3DUevP6qJxek8FKoN/+5OhVdSZZdU8/cFkbxKkUqFtvnB/DuOm6a2Z0GaK
EXVrXm2d0eMCIXq0Tv9tymvZGSPz1dTQ/Ui0dOTNzAAAAAAAAA==
--------------ms000408040309020204090307--