From a51900819bd5332bc05ec9d513f062844b3a7763 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Fri, 25 Feb 2022 08:58:24 +0200 Subject: [PATCH] KRB instance: make provision to work with crypto policy without SHA-1 HMAC types RHEL 9 system-wide crypto policies aim at eventual removal of SHA-1 use. Due to bootstrapping process, force explicitly supported encryption types in kdc.conf or we may end up with AES128-SHA1 and AES256-SHA2 only in FIPS mode at bootstrap time which then fails to initialize kadmin principals requiring use of AES256-SHA2 and AES128-SHA2. Camellia ciphers must be filtered out in FIPS mode, we do that already in the kerberos.ldif. At this point we are not changing the master key encryption type to AES256-SHA2 because upgrading existing deployments is complicated and at the time when a replica configuration is deployed, we don't know what is the encryption type of the master key of the original server as well. Fixes: https://pagure.io/freeipa/issue/9119 Signed-off-by: Alexander Bokovoy Reviewed-By: Julien Rische Reviewed-By: Francisco Trivino --- install/share/kdc.conf.template | 3 ++- install/share/kerberos.ldif | 2 ++ ipaserver/install/krbinstance.py | 21 ++++++++++++++++++++- 3 files changed, 24 insertions(+), 2 deletions(-) diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template index 232fedc445f660c30a88d8844d9f1b6042db41a7..685d42f3b7fb263e86b7a6db98be8bcc53e7bbe6 100644 --- a/install/share/kdc.conf.template +++ b/install/share/kdc.conf.template @@ -6,7 +6,8 @@ [realms] $REALM = { - master_key_type = aes256-cts + master_key_type = $MASTER_KEY_TYPE + supported_enctypes = $SUPPORTED_ENCTYPES max_life = 7d max_renewable_life = 14d acl_file = $KRB5KDC_KADM5_ACL diff --git a/install/share/kerberos.ldif b/install/share/kerberos.ldif index 3b75b445641fd86e2029ceb51e479c6ccb17856c..51e5cf9bca4b0b2cf2e1fe3ec85777deb61b76b0 100644 --- a/install/share/kerberos.ldif +++ b/install/share/kerberos.ldif @@ -28,6 +28,8 @@ ${FIPS}krbSupportedEncSaltTypes: camellia256-cts-cmac:normal ${FIPS}krbSupportedEncSaltTypes: camellia256-cts-cmac:special krbMaxTicketLife: 86400 krbMaxRenewableAge: 604800 +krbDefaultEncSaltTypes: aes256-sha2:special +krbDefaultEncSaltTypes: aes128-sha2:special krbDefaultEncSaltTypes: aes256-cts:special krbDefaultEncSaltTypes: aes128-cts:special diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 216c1032d8abd9fc119d98d8f9976ce17d246ea4..852edcd9978f4a47d355e206fbb4a513ea699865 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -51,6 +51,14 @@ logger = logging.getLogger(__name__) PKINIT_ENABLED = 'pkinitEnabled' +MASTER_KEY_TYPE = 'aes256-sha1' +SUPPORTED_ENCTYPES = ('aes256-sha2:special', 'aes128-sha2:special', + 'aes256-sha2:normal', 'aes128-sha2:normal', + 'aes256-cts:special', 'aes128-cts:special', + 'aes256-cts:normal', 'aes128-cts:normal', + 'camellia256-cts:special', 'camellia128-cts:special', + 'camellia256-cts:normal', 'camellia128-cts:normal') + def get_pkinit_request_ca(): """ @@ -252,6 +260,7 @@ class KrbInstance(service.Service): else: includes = '' + fips_enabled = tasks.is_fips_enabled() self.sub_dict = dict(FQDN=self.fqdn, IP=self.ip, PASSWORD=self.kdc_password, @@ -269,7 +278,17 @@ class KrbInstance(service.Service): KDC_CA_BUNDLE_PEM=paths.KDC_CA_BUNDLE_PEM, CA_BUNDLE_PEM=paths.CA_BUNDLE_PEM, INCLUDES=includes, - FIPS='#' if tasks.is_fips_enabled() else '') + FIPS='#' if fips_enabled else '') + + if fips_enabled: + supported_enctypes = list( + filter(lambda e: not e.startswith('camelia'), + SUPPORTED_ENCTYPES)) + else: + supported_enctypes = SUPPORTED_ENCTYPES + self.sub_dict['SUPPORTED_ENCTYPES'] = ' '.join(supported_enctypes) + + self.sub_dict['MASTER_KEY_TYPE'] = MASTER_KEY_TYPE # IPA server/KDC is not a subdomain of default domain # Proper domain-realm mapping needs to be specified -- 2.34.1