Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-4875

[RFE] Infer PKINIT CMS data digest from supportedCMSTypes

XMLWordPrintable

    • rhel-sst-idm-ipa
    • ssg_idm
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Known Issue
    • Hide
      .The PKINIT authentication of a user fails if a RHEL 9 Kerberos agent communicates with a non-RHEL-9, non-AD Kerberos agent

      If a RHEL 9 Kerberos agent, either a client or Kerberos Distribution Center (KDC), interacts with a non-RHEL-9 Kerberos agent that is not an Active Directory (AD) agent, the PKINIT authentication of the user fails. To work around the problem, perform one of the following actions:

      * Set the RHEL 9 agent's crypto-policy to `DEFAULT:SHA1` to allow the verification of SHA-1 signatures:
      +
      ----
      # update-crypto-policies --set DEFAULT:SHA1
      ----

      * Update the non-RHEL-9 and non-AD agent to ensure it does not sign CMS data using the SHA-1 algorithm. For this, update your Kerberos client or KDC packages to the versions that use SHA-256 instead of SHA-1:

      ** CentOS 9 Stream: krb5-1.19.1-15
      ** RHEL 8.7: krb5-1.18.2-17
      ** RHEL 7.9: krb5-1.15.1-53
      ** Fedora Rawhide/36: krb5-1.19.2-7
      ** Fedora 35/34: krb5-1.19.2-3

      As a result, the PKINIT authentication of the user works correctly.

      Note that for other operating systems, it is the krb5-1.20 release that ensures that the agent signs CMS data with SHA-256 instead of SHA-1.

      See also xref:BZ-2060798[].
      Show
      .The PKINIT authentication of a user fails if a RHEL 9 Kerberos agent communicates with a non-RHEL-9, non-AD Kerberos agent If a RHEL 9 Kerberos agent, either a client or Kerberos Distribution Center (KDC), interacts with a non-RHEL-9 Kerberos agent that is not an Active Directory (AD) agent, the PKINIT authentication of the user fails. To work around the problem, perform one of the following actions: * Set the RHEL 9 agent's crypto-policy to `DEFAULT:SHA1` to allow the verification of SHA-1 signatures: + ---- # update-crypto-policies --set DEFAULT:SHA1 ---- * Update the non-RHEL-9 and non-AD agent to ensure it does not sign CMS data using the SHA-1 algorithm. For this, update your Kerberos client or KDC packages to the versions that use SHA-256 instead of SHA-1: ** CentOS 9 Stream: krb5-1.19.1-15 ** RHEL 8.7: krb5-1.18.2-17 ** RHEL 7.9: krb5-1.15.1-53 ** Fedora Rawhide/36: krb5-1.19.2-7 ** Fedora 35/34: krb5-1.19.2-3 As a result, the PKINIT authentication of the user works correctly. Note that for other operating systems, it is the krb5-1.20 release that ensures that the agent signs CMS data with SHA-256 instead of SHA-1. See also xref:BZ-2060798[].
    • Done
    • None

      Description of problem:
      When trying to authenticate with an IPA user using smart card, the authentication fails.

      For testing I'm using RHEL9 client that authenticates against a RHEL8 IPA server. And I'm using virtual smart cards(virt_cacard) and opensc as PKCS#11 module to do the testing.

      The failures only occur when I'm using DEFAULT crypto-policies(I'm assuming it is the same in FUTURE), but authentication works in LEGACY mode, so it looks like the issue is somehow related to the openssl changes in RHEL9.

      I will attach couple of logs from /var/log/sssd/ that I think might be helpful, please tell me if you need anything else.

      Version-Release number of selected component (if applicable):
      krb5-libs-1.19.1-15.el9_0.x86_64
      krb5-pkinit-1.19.1-15.el9_0.x86_64
      krb5-workstation-1.19.1-15.el9_0.x86_64

              jrische@redhat.com Julien Rische
              inikolch@redhat.com Ivan Nikolchev (Inactive)
              Julien Rische Julien Rische
              Michal Polovka Michal Polovka
              Michal Stubna Michal Stubna
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated: