rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0027-KRB-instance-make-provision-to-work-with-crypto-poli.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   f8db2ab33ec79c08ec5bfe6c0937c765d996ff68
  2.   SOURCES
  3.   0027-KRB-instance-make-provision-to-work-with-crypto-poli.patch
Blob History Raw
bb0ded 
From a51900819bd5332bc05ec9d513f062844b3a7763 Mon Sep 17 00:00:00 2001
bb0ded 
From: Alexander Bokovoy <abokovoy@redhat.com>
bb0ded 
Date: Fri, 25 Feb 2022 08:58:24 +0200
bb0ded 
Subject: [PATCH] KRB instance: make provision to work with crypto policy
bb0ded 
 without SHA-1 HMAC types
bb0ded
bb0ded 
RHEL 9 system-wide crypto policies aim at eventual removal of SHA-1 use.
bb0ded
bb0ded 
Due to bootstrapping process, force explicitly supported encryption
bb0ded 
types in kdc.conf or we may end up with AES128-SHA1 and AES256-SHA2 only
bb0ded 
in FIPS mode at bootstrap time which then fails to initialize kadmin
bb0ded 
principals requiring use of AES256-SHA2 and AES128-SHA2.
bb0ded
bb0ded 
Camellia ciphers must be filtered out in FIPS mode, we do that already
bb0ded 
in the kerberos.ldif.
bb0ded
bb0ded 
At this point we are not changing the master key encryption type to
bb0ded 
AES256-SHA2 because upgrading existing deployments is complicated and
bb0ded 
at the time when a replica configuration is deployed, we don't know what
bb0ded 
is the encryption type of the master key of the original server as well.
bb0ded
bb0ded 
Fixes: https://pagure.io/freeipa/issue/9119
bb0ded
bb0ded 
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
bb0ded 
Reviewed-By: Julien Rische <jrische@redhat.com>
bb0ded 
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
bb0ded 
---
bb0ded 
 install/share/kdc.conf.template  |  3 ++-
bb0ded 
 install/share/kerberos.ldif      |  2 ++
bb0ded 
 ipaserver/install/krbinstance.py | 21 ++++++++++++++++++++-
bb0ded 
 3 files changed, 24 insertions(+), 2 deletions(-)
bb0ded
bb0ded 
diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
bb0ded 
index 232fedc445f660c30a88d8844d9f1b6042db41a7..685d42f3b7fb263e86b7a6db98be8bcc53e7bbe6 100644
bb0ded 
--- a/install/share/kdc.conf.template
bb0ded 
+++ b/install/share/kdc.conf.template
bb0ded 
@@ -6,7 +6,8 @@
bb0ded
bb0ded 
 [realms]
bb0ded 
  $REALM = {
bb0ded 
-  master_key_type = aes256-cts
bb0ded 
+  master_key_type = $MASTER_KEY_TYPE
bb0ded 
+  supported_enctypes = $SUPPORTED_ENCTYPES
bb0ded 
   max_life = 7d
bb0ded 
   max_renewable_life = 14d
bb0ded 
   acl_file = $KRB5KDC_KADM5_ACL
bb0ded 
diff --git a/install/share/kerberos.ldif b/install/share/kerberos.ldif
bb0ded 
index 3b75b445641fd86e2029ceb51e479c6ccb17856c..51e5cf9bca4b0b2cf2e1fe3ec85777deb61b76b0 100644
bb0ded 
--- a/install/share/kerberos.ldif
bb0ded 
+++ b/install/share/kerberos.ldif
bb0ded 
@@ -28,6 +28,8 @@ ${FIPS}krbSupportedEncSaltTypes: camellia256-cts-cmac:normal
bb0ded 
 ${FIPS}krbSupportedEncSaltTypes: camellia256-cts-cmac:special
bb0ded 
 krbMaxTicketLife: 86400
bb0ded 
 krbMaxRenewableAge: 604800
bb0ded 
+krbDefaultEncSaltTypes: aes256-sha2:special
bb0ded 
+krbDefaultEncSaltTypes: aes128-sha2:special
bb0ded 
 krbDefaultEncSaltTypes: aes256-cts:special
bb0ded 
 krbDefaultEncSaltTypes: aes128-cts:special
bb0ded
bb0ded 
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
bb0ded 
index 216c1032d8abd9fc119d98d8f9976ce17d246ea4..852edcd9978f4a47d355e206fbb4a513ea699865 100644
bb0ded 
--- a/ipaserver/install/krbinstance.py
bb0ded 
+++ b/ipaserver/install/krbinstance.py
bb0ded 
@@ -51,6 +51,14 @@ logger = logging.getLogger(__name__)
bb0ded
bb0ded 
 PKINIT_ENABLED = 'pkinitEnabled'
bb0ded
bb0ded 
+MASTER_KEY_TYPE = 'aes256-sha1'
bb0ded 
+SUPPORTED_ENCTYPES = ('aes256-sha2:special', 'aes128-sha2:special',
bb0ded 
+                      'aes256-sha2:normal', 'aes128-sha2:normal',
bb0ded 
+                      'aes256-cts:special', 'aes128-cts:special',
bb0ded 
+                      'aes256-cts:normal', 'aes128-cts:normal',
bb0ded 
+                      'camellia256-cts:special', 'camellia128-cts:special',
bb0ded 
+                      'camellia256-cts:normal', 'camellia128-cts:normal')
bb0ded 
+
bb0ded
bb0ded 
 def get_pkinit_request_ca():
bb0ded 
     """
bb0ded 
@@ -252,6 +260,7 @@ class KrbInstance(service.Service):
bb0ded 
         else:
bb0ded 
             includes = ''
bb0ded
bb0ded 
+        fips_enabled = tasks.is_fips_enabled()
bb0ded 
         self.sub_dict = dict(FQDN=self.fqdn,
bb0ded 
                              IP=self.ip,
bb0ded 
                              PASSWORD=self.kdc_password,
bb0ded 
@@ -269,7 +278,17 @@ class KrbInstance(service.Service):
bb0ded 
                              KDC_CA_BUNDLE_PEM=paths.KDC_CA_BUNDLE_PEM,
bb0ded 
                              CA_BUNDLE_PEM=paths.CA_BUNDLE_PEM,
bb0ded 
                              INCLUDES=includes,
bb0ded 
-                             FIPS='#' if tasks.is_fips_enabled() else '')
bb0ded 
+                             FIPS='#' if fips_enabled else '')
bb0ded 
+
bb0ded 
+        if fips_enabled:
bb0ded 
+            supported_enctypes = list(
bb0ded 
+                filter(lambda e: not e.startswith('camelia'),
bb0ded 
+                       SUPPORTED_ENCTYPES))
bb0ded 
+        else:
bb0ded 
+            supported_enctypes = SUPPORTED_ENCTYPES
bb0ded 
+        self.sub_dict['SUPPORTED_ENCTYPES'] = ' '.join(supported_enctypes)
bb0ded 
+
bb0ded 
+        self.sub_dict['MASTER_KEY_TYPE'] = MASTER_KEY_TYPE
bb0ded
bb0ded 
         # IPA server/KDC is not a subdomain of default domain
bb0ded 
         # Proper domain-realm mapping needs to be specified
bb0ded 
--
bb0ded 
2.34.1
bb0ded

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation