Rekeying krbtgt and the behaviour of SSH and delegated credentials

Michael Howe michael.howe at it.ox.ac.uk
Fri Aug 5 14:48:17 EDT 2016 

Hello,

I'm working on rekeying the krbtgt for our realm for the first time
since it was created.  Following the instructions at
http://web.mit.edu/kerberos/krb5-devel/doc/admin/advanced/retiring-des.html
I discovered some odd behaviour with SSH delegating credentials, which
I'd like to solve before doing this to our live realm.

When a client has an existing (forwardable) ticket, and the krbtgt is
rekeyed with -keepold, most things keep working.  However, if that
ticket is used with SSH using GSSAPIDelegateCredentials=yes it seems to
make the forwarded ticket unusable - the KDC returns 'Bad encryption
type' whenever it's used.  (I've not tested other applications that
might forward credentials.)

I'm not sure why this happens, however - or if there's anything we can
do about it.  I've not found anything from my searching online, but I
may just have been looking in the wrong place.

Has anyone else seen this?  Can anyone explain what's going on?


More details of the test (including logs):

To test that this wasn't an artefact of our (rather old) realm, I've
reproduced this with a minimal new kerberos realm, using Debian Jessie.

Two clients (client-1.internal, client-2.internal) and one server
(kadmin-test.internal), realm of INTERNAL; DNS and clocks are
appropriately configured.  Initial krbtgt/INTERNAL principal configured
with single-des and 3des.  User of 'worc2070', with user and root
.k5login including 'worc2070' and 'worc2070/root at INTERNAL'.  sshd_config
set with GSSAPIAuthentication=yes.  I'm using ksu as an example of a
kerberized command that fails; SSH to another host using GSSAPI fails
similarly (but less clearly).

#---8<-----------------------------------------------------------------
root at kadmin-test:~# kadmin.local -q "getprinc krbtgt/INTERNAL"
Authenticating as principal worc2070/admin at INTERNAL with password.
Principal: krbtgt/INTERNAL at INTERNAL
Expiration date: [never]
Last password change: [never]
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Fri Aug 05 18:55:45 BST 2016 (db_creation at INTERNAL)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 3
Key: vno 1, des3-cbc-sha1, no salt
Key: vno 1, des-cbc-crc, no salt
Key: vno 1, des-cbc-md5, no salt
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]

worc2070 at client-1:~$ kinit worc2070/root
Password for worc2070/root at INTERNAL:
worc2070 at client-1:~$ klist -ef
Ticket cache: FILE:/tmp/krb5cc_1000_pre_rekey_client_1_root
Default principal: worc2070/root at INTERNAL

Valid starting     Expires            Service principal
05/08/16 19:02:01  06/08/16 05:02:01  krbtgt/INTERNAL at INTERNAL
	renew until 06/08/16 19:01:58, Flags: FPRIA
	Etype (skey, tkt): des3-cbc-sha1, des3-cbc-sha1

worc2070 at client-1 (top):~$ kvno krbtgt/INTERNAL
krbtgt/INTERNAL at INTERNAL: kvno = 1

ssh -oGSSAPIDelegateCredentials=yes client-2.internal

worc2070 at client-2:~$ klist -ef
Ticket cache: FILE:/tmp/krb5cc_1000_0WiRbsU3sD
Default principal: worc2070/root at INTERNAL

Valid starting     Expires            Service principal
05/08/16 19:03:01  06/08/16 05:02:01  krbtgt/INTERNAL at INTERNAL
	renew until 06/08/16 19:01:58, Flags: FfPRAT
	Etype (skey, tkt): des3-cbc-sha1, des3-cbc-sha1
worc2070 at client-2:~$ kvno krbtgt/INTERNAL
krbtgt/INTERNAL at INTERNAL: kvno = 1
worc2070 at client-2:~$ ksu
Authenticated worc2070/root at INTERNAL
Account root: authorization for worc2070/root at INTERNAL successful
Changing uid to root (0)
root at client-2:/home/worc2070# exit
#---8<-----------------------------------------------------------------


So far, so good.  Now, keeping the existing credentials cache on
client-1, rekey the krbtgt, and then retry.


#---8<-----------------------------------------------------------------
root at kadmin-test:~# enctypes=aes256-cts-hmac-sha1-96:normal,aes128-cts-hmac-sha1-96:normal,des3-hmac-sha1:normal,des-cbc-crc:normal
root at kadmin-test:~# kadmin.local -q "cpw -e ${enctypes} -randkey -keepold krbtgt/INTERNAL"
Authenticating as principal worc2070/admin at INTERNAL with password.
Key for "krbtgt/INTERNAL at INTERNAL" randomized.
root at kadmin-test:~# kadmin.local -q "getprinc krbtgt/INTERNAL"
Authenticating as principal worc2070/admin at INTERNAL with password.
Principal: krbtgt/INTERNAL at INTERNAL
Expiration date: [never]
Last password change: Fri Aug 05 19:10:32 BST 2016
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Fri Aug 05 19:10:32 BST 2016 (worc2070/admin at INTERNAL)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 7
Key: vno 2, aes256-cts-hmac-sha1-96, no salt
Key: vno 2, aes128-cts-hmac-sha1-96, no salt
Key: vno 2, des3-cbc-sha1, no salt
Key: vno 2, des-cbc-crc, no salt
Key: vno 1, des3-cbc-sha1, no salt
Key: vno 1, des-cbc-crc, no salt
Key: vno 1, des-cbc-md5, no salt
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]

worc2070 at client-1:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000_pre_rekey_client_1_root
Default principal: worc2070/root at INTERNAL

Valid starting     Expires            Service principal
05/08/16 19:02:01  06/08/16 05:02:01  krbtgt/INTERNAL at INTERNAL
	renew until 06/08/16 19:01:58, Flags: FPRIA
	Etype (skey, tkt): des3-cbc-sha1, des3-cbc-sha1
05/08/16 19:02:44  06/08/16 05:02:01  host/client-2.internal at INTERNAL
	renew until 06/08/16 19:01:58, Flags: FPRAT
	Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
worc2070 at client-1:~$ kvno krbtgt/INTERNAL
krbtgt/INTERNAL at INTERNAL: kvno = 1
worc2070 at client-1:~$ ssh -oGSSAPIDelegateCredentials=yes client-2.internal

worc2070 at client-2:~$ klist -ef
Ticket cache: FILE:/tmp/krb5cc_1000_o3UlzfOkyT
Default principal: worc2070/root at INTERNAL

Valid starting     Expires            Service principal
05/08/16 19:13:25  06/08/16 05:02:01  krbtgt/INTERNAL at INTERNAL
	renew until 06/08/16 19:01:58, Flags: FfPRAT
	Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
worc2070 at client-2:~$ kvno krbtgt/INTERNAL
krbtgt/INTERNAL at INTERNAL: kvno = 2
worc2070 at client-2:~$ ksu
ksu: Generic error (see e-text) while getting credentials from kdc
Authentication failed.
#---8<-----------------------------------------------------------------

Looking at the logs from the KDC, I see:

#---8<-----------------------------------------------------------------
Aug  5 19:15:03 kadmin-test krb5kdc[714]: TGS_REQ (1 etypes {18}) 192.168.100.189: ISSUE: authtime 1470420121, etypes {rep=16 tkt=18 ses=18}, worc2070/root at INTERNAL for krbtgt/INTERNAL at INTERNAL
#---8<-----------------------------------------------------------------

(on initial connection to the system)

#---8<-----------------------------------------------------------------
Aug  5 19:15:45 kadmin-test krb5kdc[714]: authdata (signedpath) handling failure: Bad encryption type
Aug  5 19:15:45 kadmin-test krb5kdc[714]: TGS_REQ : handle_authdata (-1765328196)
Aug  5 19:15:45 kadmin-test krb5kdc[714]: TGS_REQ (9 etypes {18 17 16 23 25 26 1 3 2}) 192.168.100.214: HANDLE_AUTHDATA: authtime 1470420121, worc2070/root at INTERNAL for host/client-2.internal at INTERNAL, Bad encryption type
Aug  5 19:15:45 kadmin-test krb5kdc[714]: authdata (signedpath) handling failure: Bad encryption type
Aug  5 19:15:45 kadmin-test krb5kdc[714]: TGS_REQ : handle_authdata (-1765328196)
Aug  5 19:15:45 kadmin-test krb5kdc[714]: TGS_REQ (9 etypes {18 17 16 23 25 26 1 3 2}) 192.168.100.214: HANDLE_AUTHDATA: authtime 1470420121, worc2070/root at INTERNAL for host/client-2.internal at INTERNAL, Bad encryption type
#---8<-----------------------------------------------------------------

(when I run the ksu)

But, everything works if I have a newer credentials cache:

#---8<-----------------------------------------------------------------
worc2070 at client-1:~$ export KRB5CCNAME=/tmp/krb5cc_1000_post_rekey_client_1_root
worc2070 at client-1:~$ kinit worc2070/root
Password for worc2070/root at INTERNAL: 
worc2070 at client-1:~$ klist -ef
Ticket cache: FILE:/tmp/krb5cc_1000_post_rekey_client_1_root
Default principal: worc2070/root at INTERNAL

Valid starting     Expires            Service principal
05/08/16 19:21:42  06/08/16 05:21:42  krbtgt/INTERNAL at INTERNAL
    renew until 06/08/16 19:21:40, Flags: FPRIA
    Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 
worc2070 at client-1:~$ kvno krbtgt/INTERNAL
krbtgt/INTERNAL at INTERNAL: kvno = 2
worc2070 at client-1:~$ ssh -oGSSAPIDelegateCredentials=yes client-2.internal 

worc2070 at client-2:~$ klist -ef
Ticket cache: FILE:/tmp/krb5cc_1000_j6sYsGMjKW
Default principal: worc2070/root at INTERNAL

Valid starting     Expires            Service principal
05/08/16 19:22:00  06/08/16 05:21:42  krbtgt/INTERNAL at INTERNAL
    renew until 06/08/16 19:21:40, Flags: FfPRAT
    Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 
worc2070 at client-2:~$ kvno krbtgt/INTERNAL
krbtgt/INTERNAL at INTERNAL: kvno = 2
worc2070 at client-2:~$ ksu
Authenticated worc2070/root at INTERNAL
Account root: authorization for worc2070/root at INTERNAL successful
Changing uid to root (0)
root at client-2:/home/worc2070# exit
#---8<-----------------------------------------------------------------

Many thanks,

Michael

-- 
Michael Howe, Infrastructure and Hosting Team
Systems Development and Support
IT Services, University of Oxford

More information about the Kerberos mailing list