From mzagrabe at d.umn.edu  Mon Jul  8 14:54:40 2024
From: mzagrabe at d.umn.edu (Matt Zagrabelny)
Date: Mon, 8 Jul 2024 13:54:40 -0500
Subject: recent certificate failure for pkinit
Message-ID: <CAOLfK3XsL_QKci34mgeWdpra6Fr3AbDfiMPm+ufd0P2L4-DshA@mail.gmail.com>

Greetings Kerberos-users,

I've been successfully using OTP and pkinit for the past year or so. Within
the last week, or so, it has started to fail with:

client:
$ /usr/bin/kinit -n -c /tmp/.kerberos_cache
kinit: Preauthentication failed while getting initial credentials

KDC:
KDC_RETURN_PADATA: WELLKNOWN/ANONYMOUS at EXAMPLE.COM for krbtgt/
EXAMPLE.COM at EXAMPLE.COM, Failed to verify own certificate (depth 0): unable
to get local issuer certificate

I've looked at the KDC and CA certs and their expiration dates are still
valid.

Looking at the system, the packages have recently been updated due to
Debian patching the krb5 packages for a CVE:

krb5 (1.20.1-2+deb12u2) bookworm-security; urgency=high

  * CVE-2024-37370: an unauthenticated attacker can modify the
    extra count in an RFC 4121 GSS token, causing the token to appear
    truncated.
  *  CVE-2024-37371: an attacker can cause invalid memory reads by
    sending an invalid GSS token.

 -- Sam Hartman <hartmans at debian.org>  Mon, 01 Jul 2024 11:31:35 -0600

I've tried to downgrade the packages, but the error persists.

I have enabled tracing via the KRB5_TRACE=/dev/stdout variable, for both
the client and KDC. Nothing really stands out.

Does anyone have any ideas about where to look next?

Thanks for the help!

-m

From carson at taltos.org  Mon Jul  8 17:52:21 2024
From: carson at taltos.org (Carson Gaspar)
Date: Mon, 8 Jul 2024 17:52:21 -0400
Subject: recent certificate failure for pkinit
In-Reply-To: <CAOLfK3XsL_QKci34mgeWdpra6Fr3AbDfiMPm+ufd0P2L4-DshA@mail.gmail.com>
References: <CAOLfK3XsL_QKci34mgeWdpra6Fr3AbDfiMPm+ufd0P2L4-DshA@mail.gmail.com>
Message-ID: <ca4ed132-8911-49ed-95bd-ba24e0f4d47d@taltos.org>


On 7/8/2024 2:54 PM, Matt Zagrabelny via Kerberos wrote:
> Greetings Kerberos-users,
>
> I've been successfully using OTP and pkinit for the past year or so. Within
> the last week, or so, it has started to fail with:
>
> client:
> $ /usr/bin/kinit -n -c /tmp/.kerberos_cache
> kinit: Preauthentication failed while getting initial credentials
>
> KDC:
> KDC_RETURN_PADATA:WELLKNOWN/ANONYMOUS at EXAMPLE.COM  for krbtgt/
> EXAMPLE.COM at EXAMPLE.COM, Failed to verify own certificate (depth 0): unable
> to get local issuer certificate

I've run into this error before. MIT's KDC, for some bizarre reason, 
insists that its server cert validate against the same set of CAs used 
to authorize client PKINIT certs. This is insecure and a terrible idea, 
but oh well. So make sure that the KDC server cert validates against the 
set of CAs you've specified in the config file.

If you want more debugging, AFAIK you'll need to recompile the pkinit 
plugin and set a CPP debug macro to 1 to get more useful info out of it 
(and the debug output goes to stderr as I recall).

-- 

Carson

From kenh at cmf.nrl.navy.mil  Mon Jul  8 21:29:32 2024
From: kenh at cmf.nrl.navy.mil (Ken Hornstein)
Date: Mon, 08 Jul 2024 21:29:32 -0400
Subject: recent certificate failure for pkinit
In-Reply-To: <ca4ed132-8911-49ed-95bd-ba24e0f4d47d@taltos.org>
References: <CAOLfK3XsL_QKci34mgeWdpra6Fr3AbDfiMPm+ufd0P2L4-DshA@mail.gmail.com>
 <ca4ed132-8911-49ed-95bd-ba24e0f4d47d@taltos.org>
Message-ID: <202407090129.4691TVGd021792@hedwig.cmf.nrl.navy.mil>

>> KDC:
>> KDC_RETURN_PADATA:WELLKNOWN/ANONYMOUS at EXAMPLE.COM  for krbtgt/
>> EXAMPLE.COM at EXAMPLE.COM, Failed to verify own certificate (depth 0): unable
>> to get local issuer certificate
>
>I've run into this error before. MIT's KDC, for some bizarre reason, 
>insists that its server cert validate against the same set of CAs used 
>to authorize client PKINIT certs. This is insecure and a terrible idea, 
>but oh well. So make sure that the KDC server cert validates against the 
>set of CAs you've specified in the config file.

The full chain is needed on the KDC side so intermediate certificates
can be sent in the CMS object, and the easiest way to get the full chain
with OpenSSL is to call X509_verify_cert().

However, I disagree with your assertion that this is insecure.  In my
experience certificates used by the KDC and clients are all issued by
the same PKI, so there's nothing insecure about trusting the same set
of certificates for both (and in the above example if you are using
anonymous PKINIT you're not using a client certificate anyway).

If I was in the situation where client certificates were issued by a
different PKI than the KDC certificate and I didn't trust the PKI
that was issuing the KDC certificate I would probably write a certauth
plugin to reject client certificates signed by the "wrong" PKI.

--Ken