Rekeying krbtgt and the behaviour of SSH and delegated credentials
Michael Howe
michael.howe at it.ox.ac.uk
Fri Aug 5 14:48:17 EDT 2016
Hello,
I'm working on rekeying the krbtgt for our realm for the first time
since it was created. Following the instructions at
http://web.mit.edu/kerberos/krb5-devel/doc/admin/advanced/retiring-des.html
I discovered some odd behaviour with SSH delegating credentials, which
I'd like to solve before doing this to our live realm.
When a client has an existing (forwardable) ticket, and the krbtgt is
rekeyed with -keepold, most things keep working. However, if that
ticket is used with SSH using GSSAPIDelegateCredentials=yes it seems to
make the forwarded ticket unusable - the KDC returns 'Bad encryption
type' whenever it's used. (I've not tested other applications that
might forward credentials.)
I'm not sure why this happens, however - or if there's anything we can
do about it. I've not found anything from my searching online, but I
may just have been looking in the wrong place.
Has anyone else seen this? Can anyone explain what's going on?
More details of the test (including logs):
To test that this wasn't an artefact of our (rather old) realm, I've
reproduced this with a minimal new kerberos realm, using Debian Jessie.
Two clients (client-1.internal, client-2.internal) and one server
(kadmin-test.internal), realm of INTERNAL; DNS and clocks are
appropriately configured. Initial krbtgt/INTERNAL principal configured
with single-des and 3des. User of 'worc2070', with user and root
.k5login including 'worc2070' and 'worc2070/root at INTERNAL'. sshd_config
set with GSSAPIAuthentication=yes. I'm using ksu as an example of a
kerberized command that fails; SSH to another host using GSSAPI fails
similarly (but less clearly).
#---8<-----------------------------------------------------------------
root at kadmin-test:~# kadmin.local -q "getprinc krbtgt/INTERNAL"
Authenticating as principal worc2070/admin at INTERNAL with password.
Principal: krbtgt/INTERNAL at INTERNAL
Expiration date: [never]
Last password change: [never]
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Fri Aug 05 18:55:45 BST 2016 (db_creation at INTERNAL)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 3
Key: vno 1, des3-cbc-sha1, no salt
Key: vno 1, des-cbc-crc, no salt
Key: vno 1, des-cbc-md5, no salt
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
worc2070 at client-1:~$ kinit worc2070/root
Password for worc2070/root at INTERNAL:
worc2070 at client-1:~$ klist -ef
Ticket cache: FILE:/tmp/krb5cc_1000_pre_rekey_client_1_root
Default principal: worc2070/root at INTERNAL
Valid starting Expires Service principal
05/08/16 19:02:01 06/08/16 05:02:01 krbtgt/INTERNAL at INTERNAL
renew until 06/08/16 19:01:58, Flags: FPRIA
Etype (skey, tkt): des3-cbc-sha1, des3-cbc-sha1
worc2070 at client-1 (top):~$ kvno krbtgt/INTERNAL
krbtgt/INTERNAL at INTERNAL: kvno = 1
ssh -oGSSAPIDelegateCredentials=yes client-2.internal
worc2070 at client-2:~$ klist -ef
Ticket cache: FILE:/tmp/krb5cc_1000_0WiRbsU3sD
Default principal: worc2070/root at INTERNAL
Valid starting Expires Service principal
05/08/16 19:03:01 06/08/16 05:02:01 krbtgt/INTERNAL at INTERNAL
renew until 06/08/16 19:01:58, Flags: FfPRAT
Etype (skey, tkt): des3-cbc-sha1, des3-cbc-sha1
worc2070 at client-2:~$ kvno krbtgt/INTERNAL
krbtgt/INTERNAL at INTERNAL: kvno = 1
worc2070 at client-2:~$ ksu
Authenticated worc2070/root at INTERNAL
Account root: authorization for worc2070/root at INTERNAL successful
Changing uid to root (0)
root at client-2:/home/worc2070# exit
#---8<-----------------------------------------------------------------
So far, so good. Now, keeping the existing credentials cache on
client-1, rekey the krbtgt, and then retry.
#---8<-----------------------------------------------------------------
root at kadmin-test:~# enctypes=aes256-cts-hmac-sha1-96:normal,aes128-cts-hmac-sha1-96:normal,des3-hmac-sha1:normal,des-cbc-crc:normal
root at kadmin-test:~# kadmin.local -q "cpw -e ${enctypes} -randkey -keepold krbtgt/INTERNAL"
Authenticating as principal worc2070/admin at INTERNAL with password.
Key for "krbtgt/INTERNAL at INTERNAL" randomized.
root at kadmin-test:~# kadmin.local -q "getprinc krbtgt/INTERNAL"
Authenticating as principal worc2070/admin at INTERNAL with password.
Principal: krbtgt/INTERNAL at INTERNAL
Expiration date: [never]
Last password change: Fri Aug 05 19:10:32 BST 2016
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Fri Aug 05 19:10:32 BST 2016 (worc2070/admin at INTERNAL)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 7
Key: vno 2, aes256-cts-hmac-sha1-96, no salt
Key: vno 2, aes128-cts-hmac-sha1-96, no salt
Key: vno 2, des3-cbc-sha1, no salt
Key: vno 2, des-cbc-crc, no salt
Key: vno 1, des3-cbc-sha1, no salt
Key: vno 1, des-cbc-crc, no salt
Key: vno 1, des-cbc-md5, no salt
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
worc2070 at client-1:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000_pre_rekey_client_1_root
Default principal: worc2070/root at INTERNAL
Valid starting Expires Service principal
05/08/16 19:02:01 06/08/16 05:02:01 krbtgt/INTERNAL at INTERNAL
renew until 06/08/16 19:01:58, Flags: FPRIA
Etype (skey, tkt): des3-cbc-sha1, des3-cbc-sha1
05/08/16 19:02:44 06/08/16 05:02:01 host/client-2.internal at INTERNAL
renew until 06/08/16 19:01:58, Flags: FPRAT
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
worc2070 at client-1:~$ kvno krbtgt/INTERNAL
krbtgt/INTERNAL at INTERNAL: kvno = 1
worc2070 at client-1:~$ ssh -oGSSAPIDelegateCredentials=yes client-2.internal
worc2070 at client-2:~$ klist -ef
Ticket cache: FILE:/tmp/krb5cc_1000_o3UlzfOkyT
Default principal: worc2070/root at INTERNAL
Valid starting Expires Service principal
05/08/16 19:13:25 06/08/16 05:02:01 krbtgt/INTERNAL at INTERNAL
renew until 06/08/16 19:01:58, Flags: FfPRAT
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
worc2070 at client-2:~$ kvno krbtgt/INTERNAL
krbtgt/INTERNAL at INTERNAL: kvno = 2
worc2070 at client-2:~$ ksu
ksu: Generic error (see e-text) while getting credentials from kdc
Authentication failed.
#---8<-----------------------------------------------------------------
Looking at the logs from the KDC, I see:
#---8<-----------------------------------------------------------------
Aug 5 19:15:03 kadmin-test krb5kdc[714]: TGS_REQ (1 etypes {18}) 192.168.100.189: ISSUE: authtime 1470420121, etypes {rep=16 tkt=18 ses=18}, worc2070/root at INTERNAL for krbtgt/INTERNAL at INTERNAL
#---8<-----------------------------------------------------------------
(on initial connection to the system)
#---8<-----------------------------------------------------------------
Aug 5 19:15:45 kadmin-test krb5kdc[714]: authdata (signedpath) handling failure: Bad encryption type
Aug 5 19:15:45 kadmin-test krb5kdc[714]: TGS_REQ : handle_authdata (-1765328196)
Aug 5 19:15:45 kadmin-test krb5kdc[714]: TGS_REQ (9 etypes {18 17 16 23 25 26 1 3 2}) 192.168.100.214: HANDLE_AUTHDATA: authtime 1470420121, worc2070/root at INTERNAL for host/client-2.internal at INTERNAL, Bad encryption type
Aug 5 19:15:45 kadmin-test krb5kdc[714]: authdata (signedpath) handling failure: Bad encryption type
Aug 5 19:15:45 kadmin-test krb5kdc[714]: TGS_REQ : handle_authdata (-1765328196)
Aug 5 19:15:45 kadmin-test krb5kdc[714]: TGS_REQ (9 etypes {18 17 16 23 25 26 1 3 2}) 192.168.100.214: HANDLE_AUTHDATA: authtime 1470420121, worc2070/root at INTERNAL for host/client-2.internal at INTERNAL, Bad encryption type
#---8<-----------------------------------------------------------------
(when I run the ksu)
But, everything works if I have a newer credentials cache:
#---8<-----------------------------------------------------------------
worc2070 at client-1:~$ export KRB5CCNAME=/tmp/krb5cc_1000_post_rekey_client_1_root
worc2070 at client-1:~$ kinit worc2070/root
Password for worc2070/root at INTERNAL:
worc2070 at client-1:~$ klist -ef
Ticket cache: FILE:/tmp/krb5cc_1000_post_rekey_client_1_root
Default principal: worc2070/root at INTERNAL
Valid starting Expires Service principal
05/08/16 19:21:42 06/08/16 05:21:42 krbtgt/INTERNAL at INTERNAL
renew until 06/08/16 19:21:40, Flags: FPRIA
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
worc2070 at client-1:~$ kvno krbtgt/INTERNAL
krbtgt/INTERNAL at INTERNAL: kvno = 2
worc2070 at client-1:~$ ssh -oGSSAPIDelegateCredentials=yes client-2.internal
worc2070 at client-2:~$ klist -ef
Ticket cache: FILE:/tmp/krb5cc_1000_j6sYsGMjKW
Default principal: worc2070/root at INTERNAL
Valid starting Expires Service principal
05/08/16 19:22:00 06/08/16 05:21:42 krbtgt/INTERNAL at INTERNAL
renew until 06/08/16 19:21:40, Flags: FfPRAT
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
worc2070 at client-2:~$ kvno krbtgt/INTERNAL
krbtgt/INTERNAL at INTERNAL: kvno = 2
worc2070 at client-2:~$ ksu
Authenticated worc2070/root at INTERNAL
Account root: authorization for worc2070/root at INTERNAL successful
Changing uid to root (0)
root at client-2:/home/worc2070# exit
#---8<-----------------------------------------------------------------
Many thanks,
Michael
--
Michael Howe, Infrastructure and Hosting Team
Systems Development and Support
IT Services, University of Oxford
More information about the Kerberos
mailing list