[krbdev.mit.edu #7596] PKINIT should allow missing DH param Q

Reinhard Kugler via RT rt-comment at krbdev.mit.edu
Tue Apr 2 06:50:43 EDT 2013 

On Mon, Apr 1, 2013 at 11:27 PM, Tom Yu via RT <rt-comment at krbdev.mit.edu>wrote:

> "Reinhard Kugler via RT" <rt-comment at krbdev.mit.edu> writes:
>
> > pkinit_init_req_crypto: returning ctx at 0x1e2e2c0
> > pkinit_init_kdc_req_context: returning reqctx at 0x1e27010
> > processing KRB5_PADATA_PK_AS_REQ
> > CMS Verification successful
> > #0 cert= /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=
> p130 at kerberos.3ve.bmlv.at
> > #1 cert= /DC=at/DC=bmlv/DC=3ve/DC=kerberos/CN=kerberos-DC-CA
> > crypto_retrieve_X509_sans: looking for SANs in cert =
> > /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130 at kerberos.3ve.bmlv.at
> > crypto_retrieve_X509_sans: found 2 subject alt name extension(s)
> > crypto_retrieve_X509_sans: SAN type = 1 expecting 0
> > verify_client_san: Checking pkinit sans
> > verify_client_san: no pkinit san match found
> > verify_client_san: Checking upn sans
> > verify_client_san: upn san match found
> > verify_client_san: returning retval 0, valid_san 1
> > crypto_check_cert_eku: looking for EKUs in cert =
> > /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130 at kerberos.3ve.bmlv.at
> > crypto_check_cert_eku: found eku info in the cert
> > crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
> > crypto_check_cert_eku: found acceptable EKU, checking for
> digitalSignature
> > crypto_check_cert_eku: found digitalSignature KU
> > crypto_check_cert_eku: returning retval 0, valid_eku 1
> > verify_client_eku: returning retval 0, eku_accepted 1
> > client sent dh params with 1024 bits, we require 2048
>
> The above looks like a possible configuration problem.  For some
> reason, the Windows 7 client is sending 1024 bits, while the KDC
> requires 2048 bits.
>

I didn't find how to change the dh key length on the Windows 7
I added "pkinit_dh_min_bits = 1024" to the /etc/krb5.conf
But this seens to have no effact on the behavior of the kdc.

> bad dh parameters
> > pkinit_verify_padata failed: creating e-data
> > pkinit_create_edata: creating edata for error -1765328319 (Key
> > parameters not accepted)
> > pkinit_fini_kdc_req_context: freeing   reqctx at 0x1e27010
> > pkinit_fini_req_crypto: freeing   ctx at 0x1e2e2c0
> > pkinit_verify_padata: entered!
> > pkinit_find_realm_context: returning context at 0x1df1790 for realm
> > 'kerberos.3ve.bmlv.at'
> > pkinit_init_req_crypto: returning ctx at 0x1e2e7a0
> > pkinit_init_kdc_req_context: returning reqctx at 0x1e2ca90
> > processing KRB5_PADATA_PK_AS_REQ
> > CMS Verification successful
> > #0 cert= /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=
> p130 at kerberos.3ve.bmlv.at
> > #1 cert= /DC=at/DC=bmlv/DC=3ve/DC=kerberos/CN=kerberos-DC-CA
> > crypto_retrieve_X509_sans: looking for SANs in cert =
> > /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130 at kerberos.3ve.bmlv.at
> > crypto_retrieve_X509_sans: found 2 subject alt name extension(s)
> > crypto_retrieve_X509_sans: SAN type = 1 expecting 0
> > verify_client_san: Checking pkinit sans
> > verify_client_san: no pkinit san match found
> > verify_client_san: Checking upn sans
> > verify_client_san: upn san match found
> > verify_client_san: returning retval 0, valid_san 1
> > crypto_check_cert_eku: looking for EKUs in cert =
> > /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130 at kerberos.3ve.bmlv.at
> > crypto_check_cert_eku: found eku info in the cert
> > crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
> > crypto_check_cert_eku: found acceptable EKU, checking for
> digitalSignature
> > crypto_check_cert_eku: found digitalSignature KU
> > crypto_check_cert_eku: returning retval 0, valid_eku 1
> > verify_client_eku: returning retval 0, eku_accepted 1
> > p is not well-known group 2 dhparameter
> > good 2048 dhparams
>
> Is the above also from the same Windows 7 client during the same
> authentication attempt?
>

yes
I looks like the windows 7 client does two attempts before giving up.
The first is quit with "bad dh parameters" and
KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED
The second seems to succeed, but is not accepted by the windows 7 client.

I repeated the test:
- start kdc
- do a single authentication via "runas /smartcard cmd"
same result

[root at kerberos ~]# /usr/local/sbin/krb5kdc -n
pkinit_server_plugin_init: processing realm 'kerberos.3ve.bmlv.at'
pkinit_server_plugin_init_realm: initializing context at 0x1d3f820 for
realm 'kerberos.3ve.bmlv.at'
pkinit_init_plg_crypto: initializing openssl crypto context at 0x1d53f00
pkinit_init_identity_crypto: returning ctx at 0x1d556d0
pkinit_init_kdc_profile: entered for realm kerberos.3ve.bmlv.at
pkinit_init_kdc_profile: invalid value (1024) for pkinit_dh_min_bits, using
default value (2048) instead
pkinit_identity_initialize: 0x1d38200 0x1d55840 0x1d556d0
process_option_identity: processing value
'FILE:/var/kerberos/krb5kdc/kdc.pem,/var/kerberos/krb5kdc/kdckey.pem'
process_option_identity: idtype is FILE
process_option_ca_crl: processing catype ANCHORS, value
'FILE:/var/kerberos/krb5kdc/ca.pem'
crypto_load_cas_and_crls: called with idtype FILE and catype ANCHORS
pkinit_server_plugin_init_realm: returning context at 0x1d3f820 for realm '
kerberos.3ve.bmlv.at'
pkinit_server_plugin_init: returning context at 0x1d3f2b0
krb5kdc: starting...
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm '
kerberos.3ve.bmlv.at'
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm '
kerberos.3ve.bmlv.at'
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm '
kerberos.3ve.bmlv.at'
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm '
kerberos.3ve.bmlv.at'
pkinit_verify_padata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm '
kerberos.3ve.bmlv.at'
pkinit_init_req_crypto: returning ctx at 0x1d6ce70
pkinit_init_kdc_req_context: returning reqctx at 0x1d6cce0
processing KRB5_PADATA_PK_AS_REQ
CMS Verification successful
#0 cert= /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130 at kerberos.3ve.bmlv.at
#1 cert= /DC=at/DC=bmlv/DC=3ve/DC=kerberos/CN=kerberos-DC-CA
crypto_retrieve_X509_sans: looking for SANs in cert =
/C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130 at kerberos.3ve.bmlv.at
crypto_retrieve_X509_sans: found 2 subject alt name extension(s)
crypto_retrieve_X509_sans: SAN type = 1 expecting 0
verify_client_san: Checking pkinit sans
verify_client_san: no pkinit san match found
verify_client_san: Checking upn sans
verify_client_san: upn san match found
verify_client_san: returning retval 0, valid_san 1
crypto_check_cert_eku: looking for EKUs in cert =
/C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130 at kerberos.3ve.bmlv.at
crypto_check_cert_eku: found eku info in the cert
crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
crypto_check_cert_eku: found acceptable EKU, checking for digitalSignature
crypto_check_cert_eku: found digitalSignature KU
crypto_check_cert_eku: returning retval 0, valid_eku 1
verify_client_eku: returning retval 0, eku_accepted 1
client sent dh params with 1024 bits, we require 2048
bad dh parameters
pkinit_verify_padata failed: creating e-data
pkinit_create_edata: creating edata for error -1765328319 (Key parameters
not accepted)
pkinit_fini_kdc_req_context: freeing   reqctx at 0x1d6cce0
pkinit_fini_req_crypto: freeing   ctx at 0x1d6ce70
pkinit_verify_padata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm '
kerberos.3ve.bmlv.at'
pkinit_init_req_crypto: returning ctx at 0x1d6ada0
pkinit_init_kdc_req_context: returning reqctx at 0x1d71ae0
processing KRB5_PADATA_PK_AS_REQ
CMS Verification successful
#0 cert= /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130 at kerberos.3ve.bmlv.at
#1 cert= /DC=at/DC=bmlv/DC=3ve/DC=kerberos/CN=kerberos-DC-CA
crypto_retrieve_X509_sans: looking for SANs in cert =
/C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130 at kerberos.3ve.bmlv.at
crypto_retrieve_X509_sans: found 2 subject alt name extension(s)
crypto_retrieve_X509_sans: SAN type = 1 expecting 0
verify_client_san: Checking pkinit sans
verify_client_san: no pkinit san match found
verify_client_san: Checking upn sans
verify_client_san: upn san match found
verify_client_san: returning retval 0, valid_san 1
crypto_check_cert_eku: looking for EKUs in cert =
/C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130 at kerberos.3ve.bmlv.at
crypto_check_cert_eku: found eku info in the cert
crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
crypto_check_cert_eku: found acceptable EKU, checking for digitalSignature
crypto_check_cert_eku: found digitalSignature KU
crypto_check_cert_eku: returning retval 0, valid_eku 1
verify_client_eku: returning retval 0, eku_accepted 1
p is not well-known group 2 dhparameter
good 2048 dhparams
pkinit_find_realm_context: returning context at 0x1d3f820 for realm '
kerberos.3ve.bmlv.at'
pkinit_return_padata: entered!
KDC picked etype = 18
received DH key delivery AS REQ
building certificate chain
size of certificate chain = 2
cert #0: /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=dc.kerberos.3ve.bmlv.at
mech = FS
pkinit_fini_kdc_req_context: freeing   reqctx at 0x1d71ae0
pkinit_fini_req_crypto: freeing   ctx at 0x1d6ada0
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm '
kerberos.3ve.bmlv.at'
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm '
kerberos.3ve.bmlv.at'
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm '
kerberos.3ve.bmlv.at'
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm '
kerberos.3ve.bmlv.at'


krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 debug = true
 default_realm = kerberos.3ve.bmlv.at
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 1h
 forwardable = true
 allow_weak_crypto = true

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[domain_realm]
 .kerberos.3ve.bmlv.at = kerberos.3ve.bmlv.at
 kerberos.3ve.bmlv.at = kerberos.3ve.bmlv.at

[realms]
kerberos.3ve.bmlv.at = {
 kdc = dc.kerberos.3ve.bmlv.at:88
 admin_server = dc.kerberos.3ve.bmlv.at:749
 default_domain = kerberos.3ve.bmlv.at
 kadmind_port = 749
 max_life = 2h 0m 0s
 max_renewable_life = 0d 1h 0m 0s
 master_key_type = aes128-cts
 acl_file = /var/kerberos/krb5kdc/3ve-kadm5.acl
 dict_file = /usr/share/dict/words
 admin_keytab = /var/kerberos/krb5kdc/3ve-kadm5.keytab
 supported_enctypes = aes256-cts:normal aes128-cts:normal
des3-hmac-sha1:normal arcfour-hmac:normal arcfour-hmac-md5:normal
des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 pkinit_identity =
FILE:/var/kerberos/krb5kdc/kdc.pem,/var/kerberos/krb5kdc/kdckey.pem
 pkinit_anchors = FILE:/var/kerberos/krb5kdc/ca.pem
 #pkinit_eku_checking = none
 pkinit_dh_min_bits = 1024
 pkinit_allow_upn = true
 #allow_weak_crypto = true
}

More information about the krb5-bugs mailing list