|
|
1079a7 |
From a51900819bd5332bc05ec9d513f062844b3a7763 Mon Sep 17 00:00:00 2001
|
|
|
1079a7 |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
1079a7 |
Date: Fri, 25 Feb 2022 08:58:24 +0200
|
|
|
1079a7 |
Subject: [PATCH] KRB instance: make provision to work with crypto policy
|
|
|
1079a7 |
without SHA-1 HMAC types
|
|
|
1079a7 |
|
|
|
1079a7 |
RHEL 9 system-wide crypto policies aim at eventual removal of SHA-1 use.
|
|
|
1079a7 |
|
|
|
1079a7 |
Due to bootstrapping process, force explicitly supported encryption
|
|
|
1079a7 |
types in kdc.conf or we may end up with AES128-SHA1 and AES256-SHA2 only
|
|
|
1079a7 |
in FIPS mode at bootstrap time which then fails to initialize kadmin
|
|
|
1079a7 |
principals requiring use of AES256-SHA2 and AES128-SHA2.
|
|
|
1079a7 |
|
|
|
1079a7 |
Camellia ciphers must be filtered out in FIPS mode, we do that already
|
|
|
1079a7 |
in the kerberos.ldif.
|
|
|
1079a7 |
|
|
|
1079a7 |
At this point we are not changing the master key encryption type to
|
|
|
1079a7 |
AES256-SHA2 because upgrading existing deployments is complicated and
|
|
|
1079a7 |
at the time when a replica configuration is deployed, we don't know what
|
|
|
1079a7 |
is the encryption type of the master key of the original server as well.
|
|
|
1079a7 |
|
|
|
1079a7 |
Fixes: https://pagure.io/freeipa/issue/9119
|
|
|
1079a7 |
|
|
|
1079a7 |
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
1079a7 |
Reviewed-By: Julien Rische <jrische@redhat.com>
|
|
|
1079a7 |
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
|
|
|
1079a7 |
---
|
|
|
1079a7 |
install/share/kdc.conf.template | 3 ++-
|
|
|
1079a7 |
install/share/kerberos.ldif | 2 ++
|
|
|
1079a7 |
ipaserver/install/krbinstance.py | 21 ++++++++++++++++++++-
|
|
|
1079a7 |
3 files changed, 24 insertions(+), 2 deletions(-)
|
|
|
1079a7 |
|
|
|
1079a7 |
diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
|
|
|
1079a7 |
index 232fedc445f660c30a88d8844d9f1b6042db41a7..685d42f3b7fb263e86b7a6db98be8bcc53e7bbe6 100644
|
|
|
1079a7 |
--- a/install/share/kdc.conf.template
|
|
|
1079a7 |
+++ b/install/share/kdc.conf.template
|
|
|
1079a7 |
@@ -6,7 +6,8 @@
|
|
|
1079a7 |
|
|
|
1079a7 |
[realms]
|
|
|
1079a7 |
$REALM = {
|
|
|
1079a7 |
- master_key_type = aes256-cts
|
|
|
1079a7 |
+ master_key_type = $MASTER_KEY_TYPE
|
|
|
1079a7 |
+ supported_enctypes = $SUPPORTED_ENCTYPES
|
|
|
1079a7 |
max_life = 7d
|
|
|
1079a7 |
max_renewable_life = 14d
|
|
|
1079a7 |
acl_file = $KRB5KDC_KADM5_ACL
|
|
|
1079a7 |
diff --git a/install/share/kerberos.ldif b/install/share/kerberos.ldif
|
|
|
1079a7 |
index 3b75b445641fd86e2029ceb51e479c6ccb17856c..51e5cf9bca4b0b2cf2e1fe3ec85777deb61b76b0 100644
|
|
|
1079a7 |
--- a/install/share/kerberos.ldif
|
|
|
1079a7 |
+++ b/install/share/kerberos.ldif
|
|
|
1079a7 |
@@ -28,6 +28,8 @@ ${FIPS}krbSupportedEncSaltTypes: camellia256-cts-cmac:normal
|
|
|
1079a7 |
${FIPS}krbSupportedEncSaltTypes: camellia256-cts-cmac:special
|
|
|
1079a7 |
krbMaxTicketLife: 86400
|
|
|
1079a7 |
krbMaxRenewableAge: 604800
|
|
|
1079a7 |
+krbDefaultEncSaltTypes: aes256-sha2:special
|
|
|
1079a7 |
+krbDefaultEncSaltTypes: aes128-sha2:special
|
|
|
1079a7 |
krbDefaultEncSaltTypes: aes256-cts:special
|
|
|
1079a7 |
krbDefaultEncSaltTypes: aes128-cts:special
|
|
|
1079a7 |
|
|
|
1079a7 |
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
|
|
|
1079a7 |
index 216c1032d8abd9fc119d98d8f9976ce17d246ea4..852edcd9978f4a47d355e206fbb4a513ea699865 100644
|
|
|
1079a7 |
--- a/ipaserver/install/krbinstance.py
|
|
|
1079a7 |
+++ b/ipaserver/install/krbinstance.py
|
|
|
1079a7 |
@@ -51,6 +51,14 @@ logger = logging.getLogger(__name__)
|
|
|
1079a7 |
|
|
|
1079a7 |
PKINIT_ENABLED = 'pkinitEnabled'
|
|
|
1079a7 |
|
|
|
1079a7 |
+MASTER_KEY_TYPE = 'aes256-sha1'
|
|
|
1079a7 |
+SUPPORTED_ENCTYPES = ('aes256-sha2:special', 'aes128-sha2:special',
|
|
|
1079a7 |
+ 'aes256-sha2:normal', 'aes128-sha2:normal',
|
|
|
1079a7 |
+ 'aes256-cts:special', 'aes128-cts:special',
|
|
|
1079a7 |
+ 'aes256-cts:normal', 'aes128-cts:normal',
|
|
|
1079a7 |
+ 'camellia256-cts:special', 'camellia128-cts:special',
|
|
|
1079a7 |
+ 'camellia256-cts:normal', 'camellia128-cts:normal')
|
|
|
1079a7 |
+
|
|
|
1079a7 |
|
|
|
1079a7 |
def get_pkinit_request_ca():
|
|
|
1079a7 |
"""
|
|
|
1079a7 |
@@ -252,6 +260,7 @@ class KrbInstance(service.Service):
|
|
|
1079a7 |
else:
|
|
|
1079a7 |
includes = ''
|
|
|
1079a7 |
|
|
|
1079a7 |
+ fips_enabled = tasks.is_fips_enabled()
|
|
|
1079a7 |
self.sub_dict = dict(FQDN=self.fqdn,
|
|
|
1079a7 |
IP=self.ip,
|
|
|
1079a7 |
PASSWORD=self.kdc_password,
|
|
|
1079a7 |
@@ -269,7 +278,17 @@ class KrbInstance(service.Service):
|
|
|
1079a7 |
KDC_CA_BUNDLE_PEM=paths.KDC_CA_BUNDLE_PEM,
|
|
|
1079a7 |
CA_BUNDLE_PEM=paths.CA_BUNDLE_PEM,
|
|
|
1079a7 |
INCLUDES=includes,
|
|
|
1079a7 |
- FIPS='#' if tasks.is_fips_enabled() else '')
|
|
|
1079a7 |
+ FIPS='#' if fips_enabled else '')
|
|
|
1079a7 |
+
|
|
|
1079a7 |
+ if fips_enabled:
|
|
|
1079a7 |
+ supported_enctypes = list(
|
|
|
1079a7 |
+ filter(lambda e: not e.startswith('camelia'),
|
|
|
1079a7 |
+ SUPPORTED_ENCTYPES))
|
|
|
1079a7 |
+ else:
|
|
|
1079a7 |
+ supported_enctypes = SUPPORTED_ENCTYPES
|
|
|
1079a7 |
+ self.sub_dict['SUPPORTED_ENCTYPES'] = ' '.join(supported_enctypes)
|
|
|
1079a7 |
+
|
|
|
1079a7 |
+ self.sub_dict['MASTER_KEY_TYPE'] = MASTER_KEY_TYPE
|
|
|
1079a7 |
|
|
|
1079a7 |
# IPA server/KDC is not a subdomain of default domain
|
|
|
1079a7 |
# Proper domain-realm mapping needs to be specified
|
|
|
1079a7 |
--
|
|
|
1079a7 |
2.34.1
|
|
|
1079a7 |
|