Your message dated Sat, 12 Aug 2017 16:17:09 +0000
with message-id <e1dgz65-0008ib...@fasolo.debian.org>
and subject line Bug#856307: fixed in krb5 1.15-1+deb9u1
has caused the Debian Bug report #856307,
regarding krb5-user: kinit fails for OTP user when using kdc discovery via DNS
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
856307: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856307
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: krb5-user
Version: 1.15-1
Severity: normal

Dear Maintainer,

I'm running two IPA servers for authentication and have enrolled a
Debian/testing host as a client in my IPA domain. Authentication with
kinit as normal user (password only) works fine [redacted/shortened
log]:

Passwort for u...@example.org: 
[8356] 1488202583.504266: Preauth module encrypted_challenge (138) (real) 
returned: 0/Success
[8356] 1488202583.504305: Produced preauth for next request: 133, 138
[8356] 1488202583.504332: Encoding request body and padata into FAST request
[8356] 1488202583.504565: Sending request (1180 bytes) to EXAMPLE.ORG
[8356] 1488202583.506508: Resolving hostname freeipa1.example.org.
[8356] 1488202583.507624: Sending initial UDP request to dgram 
fd23:e163:19f7:1234:5054:ff:fe85:ba0d:88
[8356] 1488202583.672491: Received answer (1038 bytes) from dgram 
fd23:e163:19f7:1234:5054:ff:fe85:ba0d:88
[8356] 1488202583.673974: Response was from master KDC

When using the same /etc/krb5.conf and kinit with an OTP user I get:

[11894] 1488202850.383675: Encoding request body and padata into FAST request
[11894] 1488202850.383843: Sending request (1077 bytes) to EXAMPLE.ORG
[11894] 1488202850.385176: Resolving hostname freeipa2.example.org.
[11894] 1488202850.385782: Sending initial UDP request to dgram 
fd23:e163:19f7:1234:5054:ff:fe07:ff5a:88
[11894] 1488202850.387857: Received answer (546 bytes) from dgram 
fd23:e163:19f7:1234:5054:ff:fe07:ff5a:88
[11894] 1488202850.388696: Response was from master KDC
[11894] 1488202850.388761: Received error from KDC: -1765328359/zusätzlich 
Vorauthentifizierung erforderlich
[11894] 1488202850.388784: Decoding FAST response
[11894] 1488202850.388980: Processing preauth types: 136, 141, 133, 137
[11894] 1488202850.388998: Received cookie: MIT
Geben Sie den Wert des Einwegpasswort-Tokens an: 
[11894] 1488202860.437172: Preauth module otp (141) (real) returned: 0/Success
[11894] 1488202860.437196: Produced preauth for next request: 133, 142
[11894] 1488202860.437211: Encoding request body and padata into FAST request
[11894] 1488202860.437438: Sending request (1272 bytes) to EXAMPLE.ORG
[11894] 1488202860.440332: Resolving hostname freeipa2.example.org.
[11894] 1488202860.441738: Sending initial UDP request to dgram 
fd23:e163:19f7:1234:5054:ff:fe07:ff5a:88
[11894] 1488202861.442912: Sending initial UDP request to dgram 
192.168.30.122:88
[11894] 1488202861.443663: Received answer (0 bytes) from dgram 
192.168.30.122:88
[11894] 1488202861.464406: Response was from master KDC
[11894] 1488202861.464406: Response was from master KDC
[11894] 1488202861.464495: Processing preauth types: 136, 141, 133, 137
[11894] 1488202861.464521: Received cookie: MIT
kinit: allgemeiner Fehlschlag der Vorauthentifizierung bei Anfängliche 
Anmeldedaten werden geholt.


So we try multiple UDP requests, and finally fail.  I do have
"udp_preference_limit = 1" in /etc/krb5.conf to force TCP, but as we
see above, we use UDP.

So, bug number one seems to be that we use UDP instead of the wanted
TCP. And we try multiple KDCs, which is not useful fpr OTP, because
the token will be consumed and the second request will fail.

If I change my /etc/krb5.conf to (dns_lookup_kdc = false, kdc = 
freeipa1.example.org):

...
[libdefaults]
  default_realm = EXAMPLE.ORG
  dns_lookup_realm = true
  dns_lookup_kdc = false
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes
  udp_preference_limit = 1
  default_ccache_name = KEYRING:persistent:%{uid}

[realms]
  EXAMPLE.ORG = {
    pkinit_anchors = FILE:/etc/ipa/ca.crt
    kdc = freeipa1.example.org
  }
...

authentication a an OTP user works as expected and we use TCP sessions:

[15302] 1488203143.7313: Resolving hostname freeipa1.example.org
[15302] 1488203143.8013: Initiating TCP connection to stream 
fd23:e163:19f7:1234:5054:ff:fe85:ba0d:88
[15302] 1488203143.8392: Sending TCP request to stream 
fd23:e163:19f7:1234:5054:ff:fe85:ba0d:88
[15302] 1488203143.10601: Received answer (544 bytes) from stream 
fd23:e163:19f7:1234:5054:ff:fe85:ba0d:88
[15302] 1488203143.10624: Terminating TCP connection to stream 
fd23:e163:19f7:1234:5054:ff:fe85:ba0d:88
[15302] 1488203143.10698: Response was not from master KDC
[15302] 1488203143.10745: Received error from KDC: -1765328359/zusätzlich 
Vorauthentifizierung erforderlich
[15302] 1488203143.10765: Decoding FAST response
[15302] 1488203143.10966: Processing preauth types: 136, 141, 133, 137
[15302] 1488203143.10988: Received cookie: MIT
Geben Sie den Wert des Einwegpasswort-Tokens an: 
[15302] 1488203153.599264: Preauth module otp (141) (real) returned: 0/Success
[15302] 1488203153.599305: Produced preauth for next request: 133, 142
[15302] 1488203153.599322: Encoding request body and padata into FAST request
[15302] 1488203153.599560: Sending request (1271 bytes) to EXAMPLE.ORG
[15302] 1488203153.599621: Resolving hostname freeipa1.example.org
[15302] 1488203153.600632: Initiating TCP connection to stream 
fd23:e163:19f7:1234:5054:ff:fe85:ba0d:88
[15302] 1488203153.600957: Sending TCP request to stream 
fd23:e163:19f7:1234:5054:ff:fe85:ba0d:88
[15302] 1488203155.236450: Received answer (1001 bytes) from stream 
fd23:e163:19f7:1234:5054:ff:fe85:ba0d:88
[15302] 1488203155.236497: Terminating TCP connection to stream 
fd23:e163:19f7:1234:5054:ff:fe85:ba0d:88
[15302] 1488203155.236643: Response was not from master KDC
[15302] 1488203155.236707: Decoding FAST response

How do I get OTP with "dns_lookup_kdc = true" to work? Why do we use
UDP instead of TCP when we use DNS-discovery?


-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages krb5-user depends on:
ii  krb5-config         2.6
ii  libc6               2.24-9
ii  libcomerr2          1.43.4-2
ii  libgssapi-krb5-2    1.15-1
ii  libgssrpc4          1.15-1
ii  libk5crypto3        1.15-1
ii  libkadm5clnt-mit11  1.15-1
ii  libkadm5srv-mit11   1.15-1
ii  libkdb5-8           1.15-1
ii  libkeyutils1        1.5.9-9
ii  libkrb5-3           1.15-1
ii  libkrb5support0     1.15-1
ii  libss2              1.43.4-2

krb5-user recommends no packages.

krb5-user suggests no packages.

-- no debconf information

--- End Message ---
--- Begin Message ---
Source: krb5
Source-Version: 1.15-1+deb9u1

We believe that the bug you reported is fixed in the latest version of
krb5, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 856...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sam Hartman <hartm...@debian.org> (supplier of updated krb5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 09 Aug 2017 12:19:50 -0400
Source: krb5
Binary: krb5-user krb5-kdc krb5-kdc-ldap krb5-admin-server krb5-kpropd 
krb5-multidev libkrb5-dev libkrb5-dbg krb5-pkinit krb5-otp krb5-k5tls krb5-doc 
libkrb5-3 libgssapi-krb5-2 libgssrpc4 libkadm5srv-mit11 libkadm5clnt-mit11 
libk5crypto3 libkdb5-8 libkrb5support0 libkrad0 krb5-gss-samples krb5-locales 
libkrad-dev
Architecture: source
Version: 1.15-1+deb9u1
Distribution: stretch
Urgency: high
Maintainer: Sam Hartman <hartm...@debian.org>
Changed-By: Sam Hartman <hartm...@debian.org>
Description:
 krb5-admin-server - MIT Kerberos master server (kadmind)
 krb5-doc   - documentation for MIT Kerberos
 krb5-gss-samples - MIT Kerberos GSS Sample applications
 krb5-k5tls - TLS plugin for MIT Kerberos
 krb5-kdc   - MIT Kerberos key server (KDC)
 krb5-kdc-ldap - MIT Kerberos key server (KDC) LDAP plugin
 krb5-kpropd - MIT Kerberos key server (KDC)
 krb5-locales - internationalization support for MIT Kerberos
 krb5-multidev - development files for MIT Kerberos without Heimdal conflict
 krb5-otp   - OTP plugin for MIT Kerberos
 krb5-pkinit - PKINIT plugin for MIT Kerberos
 krb5-user  - basic programs to authenticate using MIT Kerberos
 libgssapi-krb5-2 - MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
 libgssrpc4 - MIT Kerberos runtime libraries - GSS enabled ONCRPC
 libk5crypto3 - MIT Kerberos runtime libraries - Crypto Library
 libkadm5clnt-mit11 - MIT Kerberos runtime libraries - Administration Clients
 libkadm5srv-mit11 - MIT Kerberos runtime libraries - KDC and Admin Server
 libkdb5-8  - MIT Kerberos runtime libraries - Kerberos database
 libkrad-dev - MIT Kerberos RADIUS Library Development
 libkrad0   - MIT Kerberos runtime libraries - RADIUS library
 libkrb5-3  - MIT Kerberos runtime libraries
 libkrb5-dbg - debugging files for MIT Kerberos
 libkrb5-dev - headers and development libraries for MIT Kerberos
 libkrb5support0 - MIT Kerberos runtime libraries - Support library
Closes: 856307 860767 869260
Changes:
 krb5 (1.15-1+deb9u1) stretch; urgency=high
 .
   * CVE-2017-11368: Remote authenticated attackers can crash the KDC,
     Closes: #869260
   * Upstream patches to fix startup if getaddrinfo() returns a wildcard v6
     address, and to fix handling of explicitly specified v4 wildcard
     address; regression over previous versions, Closes: #860767
   * Fix SRV lookups to respect udp_preference_limit, regression over
     previous versions with OTP, Closes: #856307
Checksums-Sha1:
 3865bd0c4b019aef44e8fbb08cd0a875f4ab2e50 3373 krb5_1.15-1+deb9u1.dsc
 35368ab78bb847d0b23cc957bfb931e6fb45dd61 144944 
krb5_1.15-1+deb9u1.debian.tar.xz
Checksums-Sha256:
 cb69444c826f380c9d3ea7c5e6bf04105ca2fceb26ecc14b293f458f337f34c2 3373 
krb5_1.15-1+deb9u1.dsc
 f04183b2ecfd0fe488975338eb4f900d5f605c81a9ae279451ceda948d99a21c 144944 
krb5_1.15-1+deb9u1.debian.tar.xz
Files:
 03dd0ab3bfb4c70bd8bea0437db65194 3373 net standard krb5_1.15-1+deb9u1.dsc
 981da9e09bcd891263f0a05d4789e7fe 144944 net standard 
krb5_1.15-1+deb9u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQGfBAEBCAAdFiEEz1cSziAwmFRQyTi4fJpR9iayVp8FAlmOZ/IACgkQfJpR9iay
Vp+xggtdHdvSRs7m6ZmvcvY2exjBKZjNuu4fE1yOoG0NxrtolEJ1Wmr10jKbDOV/
GAmjCKYCn/OLH7owt4Lk+G8TBMdfqXx4Vszbp4p3/mrlHaUyqgkL/bLLjfgjg49t
i+RnEIOQR9oLBNTeHyebPSXIbcj57waI4/GlbNu9uLVJ/widI5+wfIWQfecJvmLP
33FmwBJtniHn4+Zh7bnusyZ3XtRDOcBlQA4ywmYv5XX0ldEWLg4NjBJNAHLNeBvD
x2Dq/EbDoO7sAH+/GAW3nsT1/ck/Q8pmKyn1qF19S2HFVHDOAZEUJeAMs9yqGHGT
+Bd6J8021HDc+jRJ6bolbb3mFL7qhGc9dZCSjIruM3IjFP99/W6/z4/YjJRmlG5F
3eei0CLPjPvuVTXq0uQ5XGw7FDUejklbP6ZogC9b+ESYjPlUoLsyaXG+rwuqqfFD
i8QoVmpPopwuDpPILvtfericz9rOr9cN4UfUtatCmf85FQ==
=rgzE
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to