[Bug 1688121] Re: KDC/kadmind explicit wildcard listener addresses do not use pktinfo
Mathew Hodson
mathew.hodson at gmail.com
Sun May 7 21:04:00 UTC 2017
** Package changed: krb5 (Debian) => ubuntu-translations
** Changed in: ubuntu-translations
Importance: Unknown => Undecided
** Changed in: ubuntu-translations
Status: Fix Released => New
** Changed in: ubuntu-translations
Remote watch: Debian Bug tracker #860767 => None
** No longer affects: ubuntu-translations
** Changed in: krb5 (Ubuntu)
Importance: High => Medium
** Changed in: krb5 (Ubuntu Zesty)
Importance: High => Medium
** Bug watch removed: Debian Bug tracker #860767
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1688121
Title:
KDC/kadmind explicit wildcard listener addresses do not use pktinfo
Status in krb5 package in Ubuntu:
Fix Released
Status in krb5 source package in Zesty:
In Progress
Bug description:
This is fixed in artful in krb5 1.15-2
- upstream: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8530
- debian: conflated into https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860767
- debian patch in artful's krb5: 0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch
[Impact]
When the KDC receives a kinit request via UDP on an aliased interface, the response is sent with the wrong source IP and never received by kinit.
After a short timeout, kinit tries again with TCP, in which case it works. But if using PREAUTH (the default), that means this first request will correctly fail, with the server demanding PREAUTH, and the client will try again with a changed request. The whole dance starts again: first UDP, ignored, then TCP, and finally we have a ticket.
Most clients will just see an increased lag when obtaining tickets. If
for some reason 88/TCP is blocked on the KDC and clients are expected
to use UDP at all times, then kinit requests will just fail.
A workaround is to list the aliased interface's address in kdc_listen
besides the wildcard (0.0.0.0) address.
The provided patch is applied upstream and in Debian testing.
[Test Case]
On zesty:
a) install krb5-kdc and krb5-admin-server
$ sudo apt install krb5-kdc krb5-admin-server
when prompted, use EXAMPLE.ORG (all caps) as the default realm
when prompted, select your own IP for the KDC and the Admin servers
b) configure a new realm called EXAMPLE.ORG
$ sudo krb5_newrealm
use any password of your liking when prompted
c) run kadmin.local to create a principal "ubuntu" with password "ubuntu" and with mandatory PREAUTH:
$ sudo kadmin.local addprinc -pw ubuntu +requires_preauth ubuntu
d) extract the ubuntu principal keytab and time how long it takes to obtain a ticket:
$ sudo kadmin.local ktadd -k /home/ubuntu/ubuntu.keytab ubuntu
$ sudo chown ubuntu:ubuntu /home/ubuntu/ubuntu.keytab
$ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu
real 0m0.022s
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: ubuntu at EXAMPLE.ORG
Valid starting Expires Service principal
05/03/2017 21:22:08 05/04/2017 07:22:08 krbtgt/EXAMPLE.ORG at EXAMPLE.ORG
renew until 05/04/2017 21:22:08
e) add another IP to your network interface. For example, this adds 10.0.5.155 to ens3 (it has 10.0.5.55/24 already in my case):
$ sudo ip addr add 10.0.5.155/24 dev ens3
f) Edit the EXAMPLE.ORG realm section in /etc/krb5.conf and configure the kdc and admin server's IP to this new IP you just added in step (e):
[realms]
EXAMPLE.ORG = {
kdc = 10.0.5.155
admin_server = 10.0.5.155
g) Time again how long it takes to obtain a ticket:
$ time kinit -k -t /home/ubuntu/ubuntu.keytab ubuntu
real 0m2.017s
Step (g) shows the bug.
On a more technical level, we can see that the server responds to kinit's UDP request using an incorrect source IP, therefore kinit never "sees" it. It quickly times out and switches to TCP, where the server responds using the correct source IP:
1 0.000000000 10.0.5.55 → 10.0.5.155 KRB5 216 AS-REQ
2 0.000566682 10.0.5.55 → 10.0.5.55 KRB5 298 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
(2) has the incorrect source ip!
After roughly 1s, kinit switches to tcp and tries again:
3 1.003231507 10.0.5.55 → 10.0.5.155 TCP 76 55588 → 88 [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=3523453804 TSecr=0 WS=128
4 1.003269692 10.0.5.155 → 10.0.5.55 TCP 76 88 → 55588 [SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=2572724273 TSecr=3523453804 WS=128
5 1.003302614 10.0.5.55 → 10.0.5.155 TCP 68 55588 → 88 [ACK] Seq=1 Ack=1 Win=43776 Len=0 TSval=3523453804 TSecr=2572724273
6 1.003545204 10.0.5.55 → 10.0.5.155 KRB5 244 AS-REQ
7 1.003567693 10.0.5.155 → 10.0.5.55 TCP 68 88 → 55588 [ACK] Seq=1 Ack=177 Win=44800 Len=0 TSval=2572724273 TSecr=3523453804
8 1.003799664 10.0.5.155 → 10.0.5.55 KRB5 326 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
(continues)
(8) and the whole tcp handshake happens with the correct IP addresses and the exchange happens and we get the ticket, but not before kinit repeats the request with PREAUTH and UDP again. That's why it takes 2 seconds in the end :)
h) repeat step (g) with the updated packages. Timing should be similar
to the one in step (d), and a traffic capture should show UDP (and not
TCP) being used.
Alternativaly, you can also prefix the kinit command with
KRB5_TRACE=/dev/stderr and verify in the debug logs that UDP instead
of TCP is being used.
[Regression Potential]
This affects only UDP sockets bound to a wildcard address and makes these sockets work correctly when there are aliased NICs (eth0:1, eth0:2) and/or just multiple IPs on the same NIC.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1688121/+subscriptions
More information about the Ubuntu-sponsors
mailing list