OTP/FAST: MIT KDC <--> heimdal client integration

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

OTP/FAST: MIT KDC <--> heimdal client integration

Oleksandr Yermolenko
Hi,

I have a strange (for me?) situation using MIT KDC together with
Heimdal client. PKINIT/FAST scenario.

STEP 1:
client side:

kinit --anonymous
klist -v
Credentials cache: FILE:/tmp/krb5cc_1000
        Principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
    Cache version: 4

Server: krbtgt/[hidden email]
Client: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 273
Auth time:  Nov  2 10:30:45 2017
End time:   Nov  3 10:30:45 2017
Ticket flags: anonymous, enc-pa-rep, pre-authent, initial, forwardable
Addresses: addressless

MIT KDC side log krb5kdc.log:
Nov 02 09:43:41 ipa31.idm.crp krb5kdc[1932](info): AS_REQ (6 etypes {18
17 20 19 16 23}) 2001:67c:2X70:20X0:d5de:47fa:4de1:b0e7: ISSUE:
authtime 1509612221, etypes {rep=18 tkt=18 ses=18},
WELLKNOWN/[hidden email] for krbtgt/[hidden email]

I guess everything is fine.

STEP 2:
client
kinit --cache=FILE:/tmp/krb5cc_1000 [hidden email]
[hidden email]'s Password: passwordOTP
kinit: Password incorrect

KDC log:
Nov 02 09:45:56 ipa31.idm.crp krb5kdc[1932](info): preauth
(encrypted_timestamp) verify failure: Preauthentication failed Nov 02
09:45:56 ipa31.idm.crp krb5kdc[1932](info): preauth
... <cut 6 rows with the same content>
(encrypted_timestamp) verify failure: Preauthentication failed Nov 02
09:45:56 ipa31.idm.crp krb5kdc[1932](info): AS_REQ (6 etypes {18 17 20
19 16 23}) 2001:67c:2370:2080:d5de:47fa:4de1:b0e7: PREAUTH_FAILED:
[hidden email] for krbtgt/[hidden email], Preauthentication failed

my thoughts: ...
something wrong with etypes, DH size or ....
- set pkinit_dh_min_bits = 1024 on the server/client because of heimdal
can't use defaults from MIT 2048 DH
- tried allow_weak_crypto without success

pkgs' versions: MIT 1.15.1 (centos7, freeipa 4.5.0 bundle), heimdal 7.1.0
debian9 based, also was trying 7.4 with the same result

MIT KDC and MIT client in the same environment work enough good

thanks a lot for your time reading my big message and possible ideas.

Oleksandr Yermolenko
network/systems engineer
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: OTP/FAST: MIT KDC <--> heimdal client integration

Greg Hudson
On 11/02/2017 05:06 AM, Oleksandr Yermolenko wrote:
> I have a strange (for me?) situation using MIT KDC together with
> Heimdal client. PKINIT/FAST scenario.

I don't believe Heimdal implements FAST OTP.

> kinit --cache=FILE:/tmp/krb5cc_1000 [hidden email]
> [hidden email]'s Password: passwordOTP
> kinit: Password incorrect
>
> KDC log:
> Nov 02 09:45:56 ipa31.idm.crp krb5kdc[1932](info): preauth
> (encrypted_timestamp) verify failure: Preauthentication failed Nov 02
> 09:45:56 ipa31.idm.crp krb5kdc[1932](info): preauth

It looks like the Heimdal client is trying to do encrypted timestamp
(not encrypted challenge, so I'm not sure the client is even using FAST
with these options) against whatever long-term keys you have on the
client principal entry.  You might want to remove those (with kadmin
purgekeys -all) so that the KDC doesn't offer encrypted
timestamp/encrypted challenge.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: OTP/FAST: MIT KDC <--> heimdal client integration

Charles Hedrick
It’s sort of implemented. On my Mac, if I use --fast-armor-cache=FILE:/tmp/krb5cc_1003 it sends udp packets to the server. The server doesn’t return anything and makes no entry in krb5kdc.log. So the client waits and eventually times out.

If I force tcp by using tcp/hostname in krb5.conf, a non-OTP kinit works, but a fast kinit immediately returns unable to reach any KDC.

A compatibility issue between Heimdal and MIT KDCs?

> On Nov 2, 2017, at 10:50 AM, Greg Hudson <[hidden email]> wrote:
>
> On 11/02/2017 05:06 AM, Oleksandr Yermolenko wrote:
>> I have a strange (for me?) situation using MIT KDC together with
>> Heimdal client. PKINIT/FAST scenario.
>
> I don't believe Heimdal implements FAST OTP.
>
>> kinit --cache=FILE:/tmp/krb5cc_1000 [hidden email]
>> [hidden email]'s Password: passwordOTP
>> kinit: Password incorrect
>>
>> KDC log:
>> Nov 02 09:45:56 ipa31.idm.crp krb5kdc[1932](info): preauth
>> (encrypted_timestamp) verify failure: Preauthentication failed Nov 02
>> 09:45:56 ipa31.idm.crp krb5kdc[1932](info): preauth
>
> It looks like the Heimdal client is trying to do encrypted timestamp
> (not encrypted challenge, so I'm not sure the client is even using FAST
> with these options) against whatever long-term keys you have on the
> client principal entry.  You might want to remove those (with kadmin
> purgekeys -all) so that the KDC doesn't offer encrypted
> timestamp/encrypted challenge.
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailman.mit.edu%2Fmailman%2Flistinfo%2Fkerberos&data=02%7C01%7Chedrick%40rutgers.edu%7C24004d8fd5184a7aa23608d5220166ad%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636452311769952170&sdata=38MDQ9a3OF8oRhhQa9GI72%2Bshom2Zxr5MGOpJelRsl0%3D&reserved=0


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos