KRB instance: make provision to work with crypto policy without SHA-1 HMAC types

RHEL 9 system-wide crypto policies aim at eventual removal of SHA-1 use. Due to bootstrapping process, force explicitly supported encryption types in kdc.conf or we may end up with AES128-SHA1 and AES256-SHA2 only in FIPS mode at bootstrap time which then fails to initialize kadmin principals requiring use of AES256-SHA2 and AES128-SHA2. Camellia ciphers must be filtered out in FIPS mode, we do that already in the kerberos.ldif. At this point we are not changing the master key encryption type to AES256-SHA2 because upgrading existing deployments is complicated and at the time when a replica configuration is deployed, we don't know what is the encryption type of the master key of the original server as well. Fixes: https://pagure.io/freeipa/issue/9119 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Julien Rische <jrische@redhat.com> Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2025-01-12 17:21:55 -06:00 · 2022-02-25 08:58:24 +02:00 · 2022-02-25 08:58:24 +02:00 · d38dd2680f
commit d38dd2680f
parent 625176a797
3 changed files with 24 additions and 2 deletions
--- a/install/share/kdc.conf.template
+++ b/install/share/kdc.conf.template
@ -6,7 +6,8 @@

 [realms]
 $REALM = {
-  master_key_type = aes256-cts
+  master_key_type = $MASTER_KEY_TYPE
+  supported_enctypes = $SUPPORTED_ENCTYPES
  max_life = 7d
  max_renewable_life = 14d
  acl_file = $KRB5KDC_KADM5_ACL
--- a/install/share/kerberos.ldif
+++ b/install/share/kerberos.ldif
@ -28,6 +28,8 @@ ${FIPS}krbSupportedEncSaltTypes: camellia256-cts-cmac:normal
 ${FIPS}krbSupportedEncSaltTypes: camellia256-cts-cmac:special
 krbMaxTicketLife: 86400
 krbMaxRenewableAge: 604800
+krbDefaultEncSaltTypes: aes256-sha2:special
+krbDefaultEncSaltTypes: aes128-sha2:special
 krbDefaultEncSaltTypes: aes256-cts:special
 krbDefaultEncSaltTypes: aes128-cts:special

--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@ -51,6 +51,14 @@ logger = logging.getLogger(__name__)

 PKINIT_ENABLED = 'pkinitEnabled'

+MASTER_KEY_TYPE = 'aes256-sha1'
+SUPPORTED_ENCTYPES = ('aes256-sha2:special', 'aes128-sha2:special',
+                      'aes256-sha2:normal', 'aes128-sha2:normal',
+                      'aes256-cts:special', 'aes128-cts:special',
+                      'aes256-cts:normal', 'aes128-cts:normal',
+                      'camellia256-cts:special', 'camellia128-cts:special',
+                      'camellia256-cts:normal', 'camellia128-cts:normal')
+

 def get_pkinit_request_ca():
    """
@ -252,6 +260,7 @@ class KrbInstance(service.Service):
        else:
            includes = ''

+        fips_enabled = tasks.is_fips_enabled()
        self.sub_dict = dict(FQDN=self.fqdn,
                             IP=self.ip,
                             PASSWORD=self.kdc_password,
@ -269,7 +278,17 @@ class KrbInstance(service.Service):
                             KDC_CA_BUNDLE_PEM=paths.KDC_CA_BUNDLE_PEM,
                             CA_BUNDLE_PEM=paths.CA_BUNDLE_PEM,
                             INCLUDES=includes,
-                             FIPS='#' if tasks.is_fips_enabled() else '')
+                             FIPS='#' if fips_enabled else '')
+
+        if fips_enabled:
+            supported_enctypes = list(
+                filter(lambda e: not e.startswith('camelia'),
+                       SUPPORTED_ENCTYPES))
+        else:
+            supported_enctypes = SUPPORTED_ENCTYPES
+        self.sub_dict['SUPPORTED_ENCTYPES'] = ' '.join(supported_enctypes)
+
+        self.sub_dict['MASTER_KEY_TYPE'] = MASTER_KEY_TYPE

        # IPA server/KDC is not a subdomain of default domain
        # Proper domain-realm mapping needs to be specified