Re: Trouble with kerberos encryption types

[Orion Poplawski <orion@nwra.com>]

[-- Attachment #1: Type: text/plain, Size: 9178 bytes --]

On 5/9/25 07:21, Daniel Kobras wrote:
> Hi!
> 
> Am 07.05.25 um 19:39 schrieb Orion Poplawski:
>> On 5/7/25 10:57, Daniel Kobras wrote:
>>> Am 06.05.25 um 21:54 schrieb Orion Poplawski:
>>>> More details.  The issue seems to arise when doing gssapi delegation from a
>>>> macOS client to the Linux box.  If I have ticket on macOS:
>>>>
>>>> Ticket cache: API:427671FC-DB63-442F-ACA4-13A9194F4398
>>>> Default principal: user@AD.NWRA.COM
>>>>
>>>> Valid starting     Expires            Service principal
>>>> 05/06/25 13:29:54  05/06/25 23:29:54  krbtgt/AD.NWRA.COM@AD.NWRA.COM
>>>>           renew until 05/13/25 13:29:50
>>>> 05/06/25 13:30:30  05/06/25 23:29:54  krbtgt/NWRA.COM@AD.NWRA.COM
>>>> 05/06/25 13:30:30  05/06/25 23:29:54  host/host@NWRA.COM
>>>>
>>>> and ssh to the Linux box, I can't access the nfs mount:
>>>>
>>>> -bash: /home/user/.bash_profile: Permission denied
>>>>
>>>> Ticket cache: KEYRING:persistent:30657:krb_ccache_efgrZpc
>>>> Default principal: user@AD.NWRA.COM
>>>>
>>>> Valid starting     Expires            Service principal
>>>> 05/06/25 13:30:30  05/06/25 23:29:54  krbtgt/AD.NWRA.COM@AD.NWRA.COM
>>>>
>>>> I also notice that the ticket is non-renewable.
>>>>
>>>> If I then kinit I can access the home directory fine.  Other than the new
>>>> ticket being renewable I don't see any difference:
>>>>
>>>> Ticket cache: KEYRING:persistent:30657:krb_ccache_efgrZpc
>>>> Default principal: user@AD.NWRA.COM
>>>>
>>>> Valid starting     Expires            Service principal
>>>> 05/06/25 13:31:27  05/06/25 23:31:27  nfs/server@NWRA.COM
>>>>           renew until 05/13/25 13:31:22
>>>> 05/06/25 13:31:27  05/06/25 23:31:27  krbtgt/NWRA.COM@AD.NWRA.COM
>>>>           renew until 05/13/25 13:31:22
>>>> 05/06/25 13:31:27  05/06/25 23:31:27  krbtgt/AD.NWRA.COM@AD.NWRA.COM
>>>>           renew until 05/13/25 13:31:22
>>>>
>>>> Actually, I also notice now that there is a krbtgt/NWRA.COM principal as
>>>> well.
>>>>    I wonder if that is the difference.
>>>
>>> Can you please check and compare the output of 'klist -ef' (which includes
>>> additional info on enctypes and flags) in both cases? It sounds like the macOS
>>> client is forwarding a ticket that is not accepted by the Linux client's krb5
>>> library. This could happen if eg. the default_tgs_enctypes configured in
>>> krb5.conf on the macOS side is incompatible with the permitted_enctypes in
>>> krb5.conf on the Linux side.
>>
>> That does indeed seem to be the issue - but it seems strange.
>>
>> On the mac:
>>
>> Valid starting       Expires              Service principal
>> 05/07/2025 10:50:16  05/07/2025 20:50:16  krbtgt/AD.NWRA.COM@AD.NWRA.COM
>>         Flags: FPIA, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
>> aes256-cts-hmac-sha1-96
>>
>> On the Linux box:
>>
>> Valid starting       Expires              Service principal
>> 05/07/2025 11:17:25  05/07/2025 20:50:16  krbtgt/AD.NWRA.COM@AD.NWRA.COM
>>          Flags: FfPA, Etype (skey, tkt): DEPRECATED:arcfour-hmac,
>> aes256-cts-hmac-sha1-96
> 
> Can you please re-check the 'klist -ef' output on the mac once you've ssh'ed
> to the Linux box, ie. once also the host ticket is present in the ccache? The
> TGT that ends up on the Linux system gets requested by the mac, which doesn't
> know about the krb5 configuration on the Linux side,
> and therefore needs to guess the supported enctypes. MIT's libkrb5 derives the
> enctype to request for the forwarded TGT from the ticket for the target
> service, ie. the host service in the case of ssh. On macOS, you're likely
> using a Heimdal-based libkrb5, but I assume it uses a similar heuristic.
> 
> If the ccache shows that related host ticket also uses RC4 enctypes, this
> could be either due to the default set of ticket enctypes configured on the
> mac, or because the AD computer account for your
> Linux system does not allow any stronger enctypes (see msDS-
> supportedEncryptionTypes attribute).

It looks fine on the Mac:

Valid starting     Expires            Service principal
05/09/25 09:05:31  05/09/25 18:32:46  krbtgt/AD.NWRA.COM@AD.NWRA.COM
        renew until 05/15/25 18:11:23, Flags: FfRA
        Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
05/09/25 09:10:05  05/09/25 18:32:46  krbtgt/NWRA.COM@AD.NWRA.COM
        Flags: FfA, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96
05/09/25 09:10:05  05/09/25 18:32:46  host/LINUXBOX@NWRA.COM
        Flags: FfAT, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96


> Either case would explain the weak session key in the forwarded TGT. But then
> I wonder why the ssh login works at all, given that your Linux system ought to
> reject the RC4 host ticket due to its restricted set of
> permitted_enctypes. So something still doesn't add up.

Things are definitely not adding up!

>> The linux box has crypto-policies:
>>
>> [libdefaults]
>> permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128
>> aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac
>> camellia128-cts-cmac
>>
>> Shouldn't that prevent it from ending up with arcfour-hmac in the first place?
>>
>> I tried adding this to the mac without any change:
>>
>> [libdefaults]
>> permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128
>> aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac
>> camellia128-cts-cmac
>> default_tgs_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128
>> aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac
>> camellia128-cts-cmac
> 
> Those are options for MIT's libkrb5. Unless you're using a non-default stack
> on the mac, you probably want to use Heimdal's default_etypes, or the more
> specific default_as_etypes/default_tgs_etypes instead.

I ended up slimming down to:

  permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
  default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
  default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96

but those are the option names from man krb5.conf on the mac.

I've set msDS-SupportedEncryptionTypes for the AD user to only allow aes to no
avail.

This seems like arcfour is disabled:

$ kvno host/LINUXBOX -e arcfour-hmac
kvno: KDC has no support for encryption type while getting credentials for
host/LINUXBOX
$ kvno krbtgt/AD.NWRA.COM@AD.NWRA.COM -e arcfour-hmac
kvno: KDC has no support for encryption type while getting credentials for
krbtgt/AD.NWRA.COM@AD.NWRA.COM

I tried enabling KRB5_TRACE during the ssh command, but it does not seem useful:

2025-05-09T09:15:21 set-error: -1765328234: entypes not supported
2025-05-09T09:15:21 set-error: -1765328243: Did not find credential for
krb5_ccache_conf_data/realm-config@X-CACHECONF: in cache
FILE:/tmp/krb5cc_1504398909_0a9FHZRC0q
2025-05-09T09:15:21 set-error: -1765328243: Did not find credential for
krb5_ccache_conf_data/realm-config@X-CACHECONF: in cache
FILE:/tmp/krb5cc_1504398909_0a9FHZRC0q
2025-05-09T09:15:21 set-error: -1765328243: Did not find credential for
krb5_ccache_conf_data/time-offset/host\134/LINUXBOX\134@AD.NWRA.COM@X-CACHECONF:
in cache FILE:/tmp/krb5cc_1504398909_0a9FHZRC0q
2025-05-09T09:15:21 Setting up PFS for auth context
2025-05-09T09:15:21 set-error: -1765328234: Encryption type
des-cbc-md5-deprecated not supported
2025-05-09T09:15:21 set-error: -1765328234: Encryption type
des-cbc-md4-deprecated not supported
2025-05-09T09:15:21 set-error: -1765328234: Encryption type
des-cbc-crc-deprecated not supported
2025-05-09T09:15:21 set-error: -1765328234: entypes not supported
2025-05-09T09:15:21 set-error: -1765328243: Did not find credential for
krb5_ccache_conf_data/realm-config@X-CACHECONF: in cache
FILE:/tmp/krb5cc_1504398909_0a9FHZRC0q
2025-05-09T09:15:21 set-error: -1765328243: Did not find credential for
krb5_ccache_conf_data/realm-config@X-CACHECONF: in cache
FILE:/tmp/krb5cc_1504398909_0a9FHZRC0q
2025-05-09T09:15:21 set-error: -1765328243: Did not find credential for
krb5_ccache_conf_data/time-offset/host\134/LINUXBOX\134@AD.NWRA.COM@X-CACHECONF:
in cache FILE:/tmp/krb5cc_1504398909_0a9FHZRC0q
2025-05-09T09:15:21 Setting up PFS for auth context
2025-05-09T09:15:21 set-error: -1765328234: Encryption type
des-cbc-md5-deprecated not supported
2025-05-09T09:15:21 set-error: -1765328234: Encryption type
des-cbc-md4-deprecated not supported
2025-05-09T09:15:21 set-error: -1765328234: Encryption type
des-cbc-crc-deprecated not supported
2025-05-09T09:15:22 krb5_rd_rep not using PFS

-- 
Orion Poplawski
he/him/his  - surely the least important thing about me
Manager of IT Systems                      720-772-5637
NWRA, Boulder Office                  FAX: 303-415-9702
3380 Mitchell Lane                       orion@nwra.com
Boulder, CO 80301                 https://www.nwra.com/

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4087 bytes --]