-
Notifications
You must be signed in to change notification settings - Fork 177
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kerberos Client on FreeBSD 14.0 failing due to RC4 usage #1224
Comments
Workaround is to create an OpenSSL config file re-enabling the legacy providers openssl_conf = openssl_init
[openssl_init]
providers = provider_sect
[provider_sect]
default = default_sect
legacy = legacy_sect
[default_sect]
activate = 1
[legacy_sect]
activate = 1 Then run kinit with the env var |
See https://src.fedoraproject.org/rpms/krb5/blob/rawhide/f/0011-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch for how we do it in MIT krb5. |
@jborean93 thanks so much for this detailed report. I will make a 7.8.1 release with a fix for this. The fix will consist of:
|
I've run into this today trying to use heimdal from FreeBSD ports with openssh-portable to see if the fix for https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=279437 works. @jborean93 does heimdal from FreeBSD base (@nicowilliams FreeBSD includes heimdal in their "base system", so Kerberos is always available with tools like SSH and others) work for you? I am on 15-CURRENT and /usr/bin/kinit always works for me when not using the heimdal port. Looking at the history of changes, FreeBSD applied numerous improvements to Heimdal in the base system. It seems to me that Cy Schubert @cschuber fixed that particular problem in https://cgit.freebsd.org/src/commit/?id=476d63e091c2e663b51d18acf6acb282e1f22bbc (on Github: freebsd/freebsd-src@476d63e) |
I never tested base because it ships with a version of Heimdal missing a few functions needed in our tests. In the end to get our tests working I just enabled the legacy provider for OpenSSL and opened the bug report for the FreeBSD port and here for Heimdal. |
Thank you @jborean93 - I just realized that base Kerberos is 1.5.2 with lots of patches. Anyway, security/heimdal-devel port worked for me... |
This was resolved in freebsd/main by 476d63e091c2 MFCed to stable/14 by c7db2e15e404. It was not MFSed to releng/14.0 but it is in releng/14.1. |
Describe the bug
When attempting to use the security/heimdal (based on Heimdal 7.8) port on FreeBSD 14.0 it fails when attempting to get a ticket with
In this environment I am not using RC4 at all and the tickets across the wire as well as the KDC logs verify that the etype used in the exchange is
aes256-cts-hmac-sha1-96
.I ended up building my own debug build of Heimdal 7.8 from the 7.8 branch and was able to reproduce the error. Digging down I found that kinit eventually calls krb5_string_to_key_data_salt_opaque and the string_to_key function in this case is AES_SHA1_string_to_key. This function then calls EVP_sha1 which in turn calls hcrypto_validate.
The problem here is that
hcrypt_validate
loops through these test ciphers which include some RC4 ciphers. This ends up bringing down the whole process even though RC4 isn't even going to be used at all. It seems like the same code is in the master branch as well so I expect other places would be affected by it now that OpenSSL policies will stop allowing ciphers like RC4.I just placed an
#if 0
around the RC4 tests, recompiled and now the code works so this seems to be the problem here.To Reproduce
pkg install heimdal
kinit [email protected]
This is most likely also affected by setup where OpenSSL has blocked RC4. I don't know enough about OpenSSL currently to fully understand how those policies work though yet.
Expected behavior
kinit works without failing.
Actual behaviour
Running the
kinit
from theheimdal
package with the debug logs turned on I getDesktop (please complete the following information):
The text was updated successfully, but these errors were encountered: