krb5-user: kinit fails for OTP user when using kdc discovery via DNS
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
krb5 (Debian) |
Fix Released
|
Unknown
|
|||
krb5 (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Zesty |
Fix Released
|
High
|
Andreas Hasenack |
Bug Description
This is fixed in krb5 1.15-2 in artful
Upstream bug : http://
Debian bug: http://
Debian patch in 1.15-2 in artful: 0013-Fix-
[Impact]
kinit does not respect udp_preference_
One particular scenario that fails is when OTP (one time password) is used, as reported.
The provided patch is applied upstream and debian testing.
[Test Case]
Steps to reproduce on zesty, with all services on one machine for simplicity (I suggest to use LXD):
a) install the packages from zesty (not the proposed ones yet):
$ sudo apt install krb5-kdc krb5-admin-server bind9
When prompted for the realm, choose EXAMPLE.COM
When prompted for the KDC and Admin services server address, use the IP of your test machine/container (not localhost or 127.0.0.1)
The KDC will fail to start because there is no realm yet, that's not relevant for this bug.
b) Edit /etc/krb5.conf and make the following changes:
- remove the "default_realm" line from the [libdefaults] section
- remove the EXAMPLE.COM realm block from the [realms] section
- add "dns_lookup_realm = true" to the [libdefaults] section
- add "dns_lookup_kdc = true" to the [libdefaults] section
- add "udp_preference
c) Edit /etc/bind/
zone "example.com" {
type master;
file "/etc/bind/
};
d) Create /etc/bind/
$TTL 604800
@ IN SOA example.com. ubuntu.example.com. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS zesty-bug1683237.example.com.
zesty-bug1683237 IN A 10.0.100.249
_kerberos TXT "EXAMPLE.COM"
_kerberos._udp SRV 0 0 88 zesty-bug1683237
_kerberos._tcp SRV 0 0 88 zesty-bug1683237
_kerberos-
_kerberos-
_kerberos-adm._tcp SRV 0 0 749 zesty-bug1683237
_kpasswd._udp SRV 0 0 464 zesty-bug1683237
Use the real IP of your test machine/container where I used "10.0.100.249". You can also choose another hostname if you want, just be consistent across the board. I chose "zesty-bug1683237".
e) Restart bind
$ sudo service bind9 restart
f) Do a few quick DNS tests:
$ dig +short @10.0.100.249 zesty-bug1683237.example.com
10.0.100.249
$ dig +short @10.0.100.249 -t TXT _kerberos.
"EXAMPLE.COM"
$ dig +short @10.0.100.249 -t SRV _kerberos.
0 0 88 zesty-bug1683237.example.com.
$ dig +short @10.0.100.249 -t SRV _kerberos.
0 0 88 zesty-bug1683237.example.com.
g) Edit /etc/resolv.conf, ignoring the warning since we are not going to reboot or change network interfaces:
nameserver 10.0.100.249 # USE YOUR IP HERE
search example.com
h) Create the EXAMPLE.COM kerberos realm:
$ sudo krb5_newrealm
When prompted for a password, use whatever you like. If you get an error about no default realm, then your TXT record in DNS is not working. Retrace your DNS configuration steps.
i) Start the kerberos services:
$ sudo service krb5-kdc start
sudo service krb5-admin-server start
j) Create a principal and test it:
$ sudo kadmin.local addprinc -pw ubuntu ubuntu
$ kinit ubuntu
Password for <email address hidden>:
$ klist
(...)
05/05/2017 13:10:01 05/05/2017 23:10:01 <email address hidden>
(...)
Now we are ready to test the bug.
Given that we have udp_preference_
$ KRB5_TRACE=
[7609] 1493989890.568980: Getting initial credentials for <email address hidden>
[7609] 1493989890.569904: Sending request (172 bytes) to EXAMPLE.COM
[7609] 1493989890.571991: Resolving hostname zesty-bug1683237.example.com.
[7609] 1493989890.576853: Sending initial UDP request to dgram 10.0.100.249:88
(...)
Uh oh, it's using UDP!
With the fixed packages, kinit will use TCP, thus honoring the udp_preference_
$ KRB5_TRACE=
[14287] 1493990160.760430: Getting initial credentials for <email address hidden>
[14287] 1493990160.761590: Sending request (172 bytes) to EXAMPLE.COM
[14287] 1493990160.763783: Resolving hostname zesty-bug1683237.example.com.
[14287] 1493990160.767803: Resolving hostname zesty-bug1683237.example.com.
[14287] 1493990160.770588: Initiating TCP connection to stream 10.0.100.249:88
[14287] 1493990160.771724: Sending TCP request to stream 10.0.100.249:88
(...)
And if udp_preference_
[Regression Potential]
Sites who were inadvertently relying on this bug (by having udp_preference_
== Original description ==
Zesty is now affected, please see the debian bug https:/
and upstream bug http://
Would it be possible to get 1.15.1 (already released upstream) in zesty/zesty-
Thanks
Jochen
Changed in krb5 (Debian): | |
status: | Unknown → New |
Changed in krb5 (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → High |
tags: | added: server-next |
Changed in krb5 (Debian): | |
status: | New → Fix Released |
Changed in krb5 (Ubuntu Zesty): | |
status: | New → Triaged |
tags: | removed: server-next |
Changed in krb5 (Ubuntu Zesty): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
status: | Triaged → In Progress |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in krb5 (Ubuntu Zesty): | |
importance: | Undecided → High |
Thank you for taking the time to report this bug and helping to make Ubuntu
better. Thank you also for reporting this to Debian and finding the
upstream record.
If you need a fix for the bug in previous versions of Ubuntu, then the
relevant procedure is documented here:
https:/ /wiki.ubuntu. com/StableRelea seUpdates
However, uploading point releases is generally not done to existing
releases in an effort to prevent additional regressions. Because
we currently do not have a delta with Debian, ideally we would sync over
from Debian directly and get the fix. However, with the existing freeze
this may not happen right away. I have added this to the server-next
backlog to get looked at during the next release.
Also I believe this is the commit to fix: /github. com/krb5/ krb5/commit/ bc7594058011c2f 9711f24af4fa15a 421a8d5b62
https:/