RT RT/krbdev.mit.edu: Ticket #7596 PKINIT should allow missing DH param Q Signed in as guest.
[Logout]

[Home] [Search] [Configuration]

[Display] [History] [Basics] [Dates] [People] [Links] [Jumbo]

 
 

 The Basics  
Id
7596
Status
resolved
Worked
0 min
Priority
0/0
Queue
krb5
 

 Keyword Selections  
Component
Tags
Version_reported
Version_Fixed
  • 1.11.3
Target_Version
  • 1.11.3
 

 Relationships  
Depends on:
Depended on by:
Parents:
Children:

Refers to:
Referred to by:
  • 7602: (tlyu) allow dh_min_bits >= 1024 [resolved]
  • 7658: (tlyu) Ignore missing Q in dh_params [resolved]
 
 Dates  
Created: Thu Mar 28 15:13:28 2013
Starts: Not set
Started: Fri Mar 29 16:41:31 2013
Last Contact: Not set
Due: Not set
Updated: Wed Dec 16 18:03:00 2015 by tlyu
 

 People  
Owner
 tlyu
Requestors
 tlyu@mit.edu, rekuread@gmail.com
Cc
 
AdminCc
 
 

 More about Taylor Yu  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:
 
 More about Reinhard Kugler  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:
 

History   Display mode: [Brief headers] [Full headers]
      Thu Mar 28 15:13:28 2013  tlyu - Ticket created    
     
To: krb5-bugs@MIT.EDU
Subject: PKINIT should allow missing DH param Q
From: Tom Yu <tlyu@MIT.EDU>
Date: Thu, 28 Mar 2013 15:13:24 -0400

PKINIT should allow the Diffie-Hellman parameters to omit the Q value
if the P value is the modulus of a well-known group.  As noted in

    http://www.rfc-editor.org/errata_search.php?eid=3157

the Q values for the well-known Oakley MODP group numbers 2, 14, and
16 are (P-1)/2.

The DomainParameters ASN.1 type [RFC3279] requires a "q" value, but
Windows 7 (at least) appears to omit it, causing a decode failure in
pkinit_decode_dh_params().  pkinit_check_dh_params() should probably
allow a null "q1" value if everything else checks out.
server_check_dh() might also need similar changes, but it seems to
only be used for draft9 requests.

Found during interop testing, but Reinhard Kugler <rekuread@gmail.com>
also made a separate report.


Download (untitled) 744b
      Thu Mar 28 15:14:20 2013  tlyu - Requestor Reinhard Kugler <rekuread@gmail.com> added    
      Thu Mar 28 19:18:53 2013  tlyu - Correspondence added    
     
To: rt@krbdev.MIT.EDU
Subject: Re: [krbdev.mit.edu #7596] PKINIT should allow missing DH param Q
From: Tom Yu <tlyu@MIT.EDU>
Date: Thu, 28 Mar 2013 19:18:50 -0400
RT-Send-Cc: 

Please try the patch linked below; I don't have an easy way to test it.

https://github.com/tlyu/krb5/commit/c12dcd46510fb8466586c936dc0c434fe0861473


Download (untitled) 150b
      Fri Mar 29 05:08:04 2013  rekuread@gmail.com - Comments added    
     
Date: Fri, 29 Mar 2013 10:08:02 +0100
Subject: Re: [krbdev.mit.edu #7596] PKINIT should allow missing DH param Q
From: Reinhard Kugler <rekuread@gmail.com>
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
RT-Send-Cc: 

thank you!
I applied the patch to the krb-1.11.1 source, compiled pkinit and installed it.
Unfortunately the test was not successful
The client shows the error 0x41 KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED
But the log output of krbkdc changed:

crypto_check_cert_eku: found eku info in the cert
crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
crypto_check_cert_eku: found acceptable EKU, checking for digitalSignature
crypto_check_cert_eku: found digitalSignature KU
crypto_check_cert_eku: returning retval 0, valid_eku 1
verify_client_eku: returning retval 0, eku_accepted 1
p is not well-known group 2 dhparameter
bad group 2 q dhparameter
p is not well-known group 2 dhparameter
bad dh parameters
pkinit_verify_padata failed: creating e-data
pkinit_create_edata: creating edata for error -1765328319 (Key
parameters not accepted)
pkinit_fini_kdc_req_context: freeing   reqctx at 0xd5ce50
pkinit_fini_req_crypto: freeing   ctx at 0xd560e0
pkinit_fini_identity_crypto: freeing   ctx at 0xd40640
pkinit_fini_plg_crypto: freeing context at 0xd3ee70
pkinit_server_plugin_fini: freeing   context at 0xd2a220


On Fri, Mar 29, 2013 at 12:18 AM, Tom Yu via RT
<rt-comment@krbdev.mit.edu> wrote:
> Please try the patch linked below; I don't have an easy way to test it.
>
> https://github.com/tlyu/krb5/commit/c12dcd46510fb8466586c936dc0c434fe0861473
>


Download (untitled) 1.3k
      Fri Mar 29 05:08:04 2013  rekuread@gmail.com - Correspondence added    
     
Date: Fri, 29 Mar 2013 10:08:02 +0100
Subject: Re: [krbdev.mit.edu #7596] PKINIT should allow missing DH param Q
From: Reinhard Kugler <rekuread@gmail.com>
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
RT-Send-Cc: 

thank you!
I applied the patch to the krb-1.11.1 source, compiled pkinit and installed it.
Unfortunately the test was not successful
The client shows the error 0x41 KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED
But the log output of krbkdc changed:

crypto_check_cert_eku: found eku info in the cert
crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
crypto_check_cert_eku: found acceptable EKU, checking for digitalSignature
crypto_check_cert_eku: found digitalSignature KU
crypto_check_cert_eku: returning retval 0, valid_eku 1
verify_client_eku: returning retval 0, eku_accepted 1
p is not well-known group 2 dhparameter
bad group 2 q dhparameter
p is not well-known group 2 dhparameter
bad dh parameters
pkinit_verify_padata failed: creating e-data
pkinit_create_edata: creating edata for error -1765328319 (Key
parameters not accepted)
pkinit_fini_kdc_req_context: freeing   reqctx at 0xd5ce50
pkinit_fini_req_crypto: freeing   ctx at 0xd560e0
pkinit_fini_identity_crypto: freeing   ctx at 0xd40640
pkinit_fini_plg_crypto: freeing context at 0xd3ee70
pkinit_server_plugin_fini: freeing   context at 0xd2a220


On Fri, Mar 29, 2013 at 12:18 AM, Tom Yu via RT
<rt-comment@krbdev.mit.edu> wrote:
> Please try the patch linked below; I don't have an easy way to test it.
>
> https://github.com/tlyu/krb5/commit/c12dcd46510fb8466586c936dc0c434fe0861473
>


Download (untitled) 1.3k
      Fri Mar 29 10:03:30 2013  tlyu - Correspondence added    
     
To: rt@krbdev.MIT.EDU
Subject: Re: [krbdev.mit.edu #7596] PKINIT should allow missing DH param Q
From: Tom Yu <tlyu@MIT.EDU>
Date: Fri, 29 Mar 2013 10:03:28 -0400
RT-Send-Cc: 

"Reinhard Kugler via RT" <rt-comment@krbdev.mit.edu> writes:

> thank you!
> I applied the patch to the krb-1.11.1 source, compiled pkinit and installed it.
> Unfortunately the test was not successful
> The client shows the error 0x41 KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED
> But the log output of krbkdc changed:
>
> crypto_check_cert_eku: found eku info in the cert
> crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
> crypto_check_cert_eku: found acceptable EKU, checking for digitalSignature
> crypto_check_cert_eku: found digitalSignature KU
> crypto_check_cert_eku: returning retval 0, valid_eku 1
> verify_client_eku: returning retval 0, eku_accepted 1
> p is not well-known group 2 dhparameter
> bad group 2 q dhparameter

Interesting.  Maybe try putting "aip = NULL;" right before the call to
M_ASN1_D2I_get_opt()?


Download (untitled) 839b
      Fri Mar 29 16:41:21 2013  tlyu - Given to tlyu    
      Fri Mar 29 16:41:31 2013  tlyu - Status changed from new to open    
      Fri Mar 29 18:39:51 2013  tlyu - Correspondence added    
     
To: rt@krbdev.MIT.EDU
Subject: Re: [krbdev.mit.edu #7596] PKINIT should allow missing DH param Q
From: Tom Yu <tlyu@MIT.EDU>
Date: Fri, 29 Mar 2013 18:39:48 -0400
RT-Send-Cc: 

"Tom Yu via RT" <rt-comment@krbdev.mit.edu> writes:

> Interesting.  Maybe try putting "aip = NULL;" right before the call to
> M_ASN1_D2I_get_opt()?

Ignore the above; it's probably wrong.  Instead, please try this patch
in place of my previous patch:

    https://github.com/tlyu/krb5/commit/dd93f6f41d98c31705cd081f5a11ffcd43da3540


Download (untitled) 335b
      Sat Mar 30 03:10:56 2013  rekuread@gmail.com - Correspondence added    
     
Date: Sat, 30 Mar 2013 08:10:52 +0100
Subject: Re: [krbdev.mit.edu #7596] PKINIT should allow missing DH param Q
From: Reinhard Kugler <rekuread@gmail.com>
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
RT-Send-Cc: 

> Ignore the above; it's probably wrong.  Instead, please try this patch
> in place of my previous patch:
>
>     https://github.com/tlyu/krb5/commit/dd93f6f41d98c31705cd081f5a11ffcd43da3540

now the pkinit phase looks good, but I still get "bad username or
password" on the windows client.
Eventvwr shows this error:
A Kerberos Error Message was received:
 on logon session p130@kerberos.3ve.bmlv.at
 Client Time: 20:11:58.0000 10/17/2022 Z
 Server Time: 6:56:57.0000 3/30/2013 Z
 Error Code: 0x41 KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED
 Extended Error:
 Client Realm: kerberos.3ve.bmlv.at
 Client Name: p130
 Server Realm: kerberos.3ve.bmlv.at
 Server Name: krbtgt/kerberos.3ve.bmlv.at
 Target Name: krbtgt/kerberos.3ve.bmlv.at@kerberos.3ve.bmlv.at
 Error Text: PREAUTH_FAILED
 File: e
 Line: 9fe
 Error Data is in record data.

"Client Time" looks wrong, but the system time is set to 30.03.2013 08:10 UTC+1

On the network I see
AS-REQ
KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
AS-REQ
KRB Error: KDC_ERR_KEY_TOO_WEAK
AS-REQ
AS-REP

krbkdc -n:

pkinit_init_req_crypto: returning ctx at 0x1e2e2c0
pkinit_init_kdc_req_context: returning reqctx at 0x1e27010
processing KRB5_PADATA_PK_AS_REQ
CMS Verification successful
#0 cert= /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
#1 cert= /DC=at/DC=bmlv/DC=3ve/DC=kerberos/CN=kerberos-DC-CA
crypto_retrieve_X509_sans: looking for SANs in cert =
/C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
crypto_retrieve_X509_sans: found 2 subject alt name extension(s)
crypto_retrieve_X509_sans: SAN type = 1 expecting 0
verify_client_san: Checking pkinit sans
verify_client_san: no pkinit san match found
verify_client_san: Checking upn sans
verify_client_san: upn san match found
verify_client_san: returning retval 0, valid_san 1
crypto_check_cert_eku: looking for EKUs in cert =
/C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
crypto_check_cert_eku: found eku info in the cert
crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
crypto_check_cert_eku: found acceptable EKU, checking for digitalSignature
crypto_check_cert_eku: found digitalSignature KU
crypto_check_cert_eku: returning retval 0, valid_eku 1
verify_client_eku: returning retval 0, eku_accepted 1
client sent dh params with 1024 bits, we require 2048
bad dh parameters
pkinit_verify_padata failed: creating e-data
pkinit_create_edata: creating edata for error -1765328319 (Key
parameters not accepted)
pkinit_fini_kdc_req_context: freeing   reqctx at 0x1e27010
pkinit_fini_req_crypto: freeing   ctx at 0x1e2e2c0
pkinit_verify_padata: entered!
pkinit_find_realm_context: returning context at 0x1df1790 for realm
'kerberos.3ve.bmlv.at'
pkinit_init_req_crypto: returning ctx at 0x1e2e7a0
pkinit_init_kdc_req_context: returning reqctx at 0x1e2ca90
processing KRB5_PADATA_PK_AS_REQ
CMS Verification successful
#0 cert= /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
#1 cert= /DC=at/DC=bmlv/DC=3ve/DC=kerberos/CN=kerberos-DC-CA
crypto_retrieve_X509_sans: looking for SANs in cert =
/C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
crypto_retrieve_X509_sans: found 2 subject alt name extension(s)
crypto_retrieve_X509_sans: SAN type = 1 expecting 0
verify_client_san: Checking pkinit sans
verify_client_san: no pkinit san match found
verify_client_san: Checking upn sans
verify_client_san: upn san match found
verify_client_san: returning retval 0, valid_san 1
crypto_check_cert_eku: looking for EKUs in cert =
/C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
crypto_check_cert_eku: found eku info in the cert
crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
crypto_check_cert_eku: found acceptable EKU, checking for digitalSignature
crypto_check_cert_eku: found digitalSignature KU
crypto_check_cert_eku: returning retval 0, valid_eku 1
verify_client_eku: returning retval 0, eku_accepted 1
p is not well-known group 2 dhparameter
good 2048 dhparams
pkinit_find_realm_context: returning context at 0x1df1790 for realm
'kerberos.3ve.bmlv.at'
pkinit_return_padata: entered!
KDC picked etype = 18
received DH key delivery AS REQ
building certificate chain
size of certificate chain = 2
cert #0: /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=dc.kerberos.3ve.bmlv.at
mech = FS
pkinit_fini_kdc_req_context: freeing   reqctx at 0x1e2ca90
pkinit_fini_req_crypto: freeing   ctx at 0x1e2e7a0
^Cpkinit_fini_identity_crypto: freeing   ctx at 0x1e07640
pkinit_fini_plg_crypto: freeing context at 0x1e05e70
pkinit_server_plugin_fini: freeing   context at 0x1df1220


Download (untitled) 4.4k
      Sat Mar 30 03:10:56 2013  rekuread@gmail.com - Comments added    
     
Date: Sat, 30 Mar 2013 08:10:52 +0100
Subject: Re: [krbdev.mit.edu #7596] PKINIT should allow missing DH param Q
From: Reinhard Kugler <rekuread@gmail.com>
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
RT-Send-Cc: 

> Ignore the above; it's probably wrong.  Instead, please try this patch
> in place of my previous patch:
>
>     https://github.com/tlyu/krb5/commit/dd93f6f41d98c31705cd081f5a11ffcd43da3540

now the pkinit phase looks good, but I still get "bad username or
password" on the windows client.
Eventvwr shows this error:
A Kerberos Error Message was received:
 on logon session p130@kerberos.3ve.bmlv.at
 Client Time: 20:11:58.0000 10/17/2022 Z
 Server Time: 6:56:57.0000 3/30/2013 Z
 Error Code: 0x41 KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED
 Extended Error:
 Client Realm: kerberos.3ve.bmlv.at
 Client Name: p130
 Server Realm: kerberos.3ve.bmlv.at
 Server Name: krbtgt/kerberos.3ve.bmlv.at
 Target Name: krbtgt/kerberos.3ve.bmlv.at@kerberos.3ve.bmlv.at
 Error Text: PREAUTH_FAILED
 File: e
 Line: 9fe
 Error Data is in record data.

"Client Time" looks wrong, but the system time is set to 30.03.2013 08:10 UTC+1

On the network I see
AS-REQ
KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
AS-REQ
KRB Error: KDC_ERR_KEY_TOO_WEAK
AS-REQ
AS-REP

krbkdc -n:

pkinit_init_req_crypto: returning ctx at 0x1e2e2c0
pkinit_init_kdc_req_context: returning reqctx at 0x1e27010
processing KRB5_PADATA_PK_AS_REQ
CMS Verification successful
#0 cert= /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
#1 cert= /DC=at/DC=bmlv/DC=3ve/DC=kerberos/CN=kerberos-DC-CA
crypto_retrieve_X509_sans: looking for SANs in cert =
/C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
crypto_retrieve_X509_sans: found 2 subject alt name extension(s)
crypto_retrieve_X509_sans: SAN type = 1 expecting 0
verify_client_san: Checking pkinit sans
verify_client_san: no pkinit san match found
verify_client_san: Checking upn sans
verify_client_san: upn san match found
verify_client_san: returning retval 0, valid_san 1
crypto_check_cert_eku: looking for EKUs in cert =
/C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
crypto_check_cert_eku: found eku info in the cert
crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
crypto_check_cert_eku: found acceptable EKU, checking for digitalSignature
crypto_check_cert_eku: found digitalSignature KU
crypto_check_cert_eku: returning retval 0, valid_eku 1
verify_client_eku: returning retval 0, eku_accepted 1
client sent dh params with 1024 bits, we require 2048
bad dh parameters
pkinit_verify_padata failed: creating e-data
pkinit_create_edata: creating edata for error -1765328319 (Key
parameters not accepted)
pkinit_fini_kdc_req_context: freeing   reqctx at 0x1e27010
pkinit_fini_req_crypto: freeing   ctx at 0x1e2e2c0
pkinit_verify_padata: entered!
pkinit_find_realm_context: returning context at 0x1df1790 for realm
'kerberos.3ve.bmlv.at'
pkinit_init_req_crypto: returning ctx at 0x1e2e7a0
pkinit_init_kdc_req_context: returning reqctx at 0x1e2ca90
processing KRB5_PADATA_PK_AS_REQ
CMS Verification successful
#0 cert= /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
#1 cert= /DC=at/DC=bmlv/DC=3ve/DC=kerberos/CN=kerberos-DC-CA
crypto_retrieve_X509_sans: looking for SANs in cert =
/C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
crypto_retrieve_X509_sans: found 2 subject alt name extension(s)
crypto_retrieve_X509_sans: SAN type = 1 expecting 0
verify_client_san: Checking pkinit sans
verify_client_san: no pkinit san match found
verify_client_san: Checking upn sans
verify_client_san: upn san match found
verify_client_san: returning retval 0, valid_san 1
crypto_check_cert_eku: looking for EKUs in cert =
/C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
crypto_check_cert_eku: found eku info in the cert
crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
crypto_check_cert_eku: found acceptable EKU, checking for digitalSignature
crypto_check_cert_eku: found digitalSignature KU
crypto_check_cert_eku: returning retval 0, valid_eku 1
verify_client_eku: returning retval 0, eku_accepted 1
p is not well-known group 2 dhparameter
good 2048 dhparams
pkinit_find_realm_context: returning context at 0x1df1790 for realm
'kerberos.3ve.bmlv.at'
pkinit_return_padata: entered!
KDC picked etype = 18
received DH key delivery AS REQ
building certificate chain
size of certificate chain = 2
cert #0: /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=dc.kerberos.3ve.bmlv.at
mech = FS
pkinit_fini_kdc_req_context: freeing   reqctx at 0x1e2ca90
pkinit_fini_req_crypto: freeing   ctx at 0x1e2e7a0
^Cpkinit_fini_identity_crypto: freeing   ctx at 0x1e07640
pkinit_fini_plg_crypto: freeing context at 0x1e05e70
pkinit_server_plugin_fini: freeing   context at 0x1df1220


Download (untitled) 4.4k
      Sat Mar 30 06:09:28 2013  rekuread@gmail.com - Comments added    
     
Date: Sat, 30 Mar 2013 11:09:27 +0100
Subject: Re: [krbdev.mit.edu #7596] PKINIT should allow missing DH param Q
From: Reinhard Kugler <rekuread@gmail.com>
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
RT-Send-Cc: 

The pkinit succeeds on the KDC, but Windows seems to get confused with
the "Key parameters not accepted" error.

Authentication with Windows 7 + Smartcard:

Mar 30 08:30:37 kerberos.example.org krb5kdc[2584](info): AS_REQ (7
etypes {18 17 23 3 1 24 -135}) 192.168.56.101: NEEDED_PREAUTH:
p130@kerberos.3ve.bmlv.at for
krbtgt/kerberos.3ve.bmlv.at@kerberos.3ve.bmlv.at, Additional
pre-authentication required
Mar 30 08:30:39 kerberos.example.org krb5kdc[2584](info): preauth
(pkinit) verify failure: Key parameters not accepted
Mar 30 08:30:39 kerberos.example.org krb5kdc[2584](info): AS_REQ (9
etypes {12 15 18 17 23 3 1 24 -135}) 192.168.56.101: PREAUTH_FAILED:
p130@kerberos.3ve.bmlv.at for
krbtgt/kerberos.3ve.bmlv.at@kerberos.3ve.bmlv.at, Key parameters not
accepted
Mar 30 08:30:40 kerberos.example.org krb5kdc[2584](info): AS_REQ (9
etypes {12 15 18 17 23 3 1 24 -135}) 192.168.56.101: ISSUE: authtime
1364628640, etypes {rep=18 tkt=18 ses=18}, p130@kerberos.3ve.bmlv.at
for krbtgt/kerberos.3ve.bmlv.at@kerberos.3ve.bmlv.at
Mar 30 08:30:41 kerberos.example.org krb5kdc[2584](info): AS_REQ (9
etypes {12 15 18 17 23 3 1 24 -135}) 192.168.56.101: NEEDED_PREAUTH:
p130@kerberos.3ve.bmlv.at for
krbtgt/kerberos.3ve.bmlv.at@kerberos.3ve.bmlv.at, Additional
pre-authentication required

Authentication of Linux + Certificate
kinit -V -X
X509_user_identity=FILE:///home/catmin/Desktop/exampleca/client.pem,/home/catmin/Desktop/exampleca/clientkey.pem
p130@kerberos.3ve.bmlv.at

Mar 30 08:31:31 kerberos.example.org krb5kdc[2584](info): AS_REQ (4
etypes {18 17 16 23}) 192.168.56.1: NEEDED_PREAUTH:
p130@kerberos.3ve.bmlv.at for
krbtgt/kerberos.3ve.bmlv.at@kerberos.3ve.bmlv.at, Additional
pre-authentication required
Mar 30 08:31:31 kerberos.example.org krb5kdc[2584](info): AS_REQ (4
etypes {18 17 16 23}) 192.168.56.1: ISSUE: authtime 1364628691, etypes
{rep=18 tkt=18 ses=18}, p130@kerberos.3ve.bmlv.at for
krbtgt/kerberos.3ve.bmlv.at@kerberos.3ve.bmlv.at
Mar 30 08:31:31 kerberos.example.org krb5kdc[2584](info): closing down fd 12


Download (untitled) 1.9k
      Sat Mar 30 06:09:28 2013  rekuread@gmail.com - Correspondence added    
     
Date: Sat, 30 Mar 2013 11:09:27 +0100
Subject: Re: [krbdev.mit.edu #7596] PKINIT should allow missing DH param Q
From: Reinhard Kugler <rekuread@gmail.com>
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
RT-Send-Cc: 

The pkinit succeeds on the KDC, but Windows seems to get confused with
the "Key parameters not accepted" error.

Authentication with Windows 7 + Smartcard:

Mar 30 08:30:37 kerberos.example.org krb5kdc[2584](info): AS_REQ (7
etypes {18 17 23 3 1 24 -135}) 192.168.56.101: NEEDED_PREAUTH:
p130@kerberos.3ve.bmlv.at for
krbtgt/kerberos.3ve.bmlv.at@kerberos.3ve.bmlv.at, Additional
pre-authentication required
Mar 30 08:30:39 kerberos.example.org krb5kdc[2584](info): preauth
(pkinit) verify failure: Key parameters not accepted
Mar 30 08:30:39 kerberos.example.org krb5kdc[2584](info): AS_REQ (9
etypes {12 15 18 17 23 3 1 24 -135}) 192.168.56.101: PREAUTH_FAILED:
p130@kerberos.3ve.bmlv.at for
krbtgt/kerberos.3ve.bmlv.at@kerberos.3ve.bmlv.at, Key parameters not
accepted
Mar 30 08:30:40 kerberos.example.org krb5kdc[2584](info): AS_REQ (9
etypes {12 15 18 17 23 3 1 24 -135}) 192.168.56.101: ISSUE: authtime
1364628640, etypes {rep=18 tkt=18 ses=18}, p130@kerberos.3ve.bmlv.at
for krbtgt/kerberos.3ve.bmlv.at@kerberos.3ve.bmlv.at
Mar 30 08:30:41 kerberos.example.org krb5kdc[2584](info): AS_REQ (9
etypes {12 15 18 17 23 3 1 24 -135}) 192.168.56.101: NEEDED_PREAUTH:
p130@kerberos.3ve.bmlv.at for
krbtgt/kerberos.3ve.bmlv.at@kerberos.3ve.bmlv.at, Additional
pre-authentication required

Authentication of Linux + Certificate
kinit -V -X
X509_user_identity=FILE:///home/catmin/Desktop/exampleca/client.pem,/home/catmin/Desktop/exampleca/clientkey.pem
p130@kerberos.3ve.bmlv.at

Mar 30 08:31:31 kerberos.example.org krb5kdc[2584](info): AS_REQ (4
etypes {18 17 16 23}) 192.168.56.1: NEEDED_PREAUTH:
p130@kerberos.3ve.bmlv.at for
krbtgt/kerberos.3ve.bmlv.at@kerberos.3ve.bmlv.at, Additional
pre-authentication required
Mar 30 08:31:31 kerberos.example.org krb5kdc[2584](info): AS_REQ (4
etypes {18 17 16 23}) 192.168.56.1: ISSUE: authtime 1364628691, etypes
{rep=18 tkt=18 ses=18}, p130@kerberos.3ve.bmlv.at for
krbtgt/kerberos.3ve.bmlv.at@kerberos.3ve.bmlv.at
Mar 30 08:31:31 kerberos.example.org krb5kdc[2584](info): closing down fd 12


Download (untitled) 1.9k
      Mon Apr  1 17:27:52 2013  tlyu - Correspondence added    
     
To: rt@krbdev.MIT.EDU
Subject: Re: [krbdev.mit.edu #7596] PKINIT should allow missing DH param Q
From: Tom Yu <tlyu@MIT.EDU>
Date: Mon, 01 Apr 2013 17:27:50 -0400
RT-Send-Cc: 

"Reinhard Kugler via RT" <rt-comment@krbdev.mit.edu> writes:

> pkinit_init_req_crypto: returning ctx at 0x1e2e2c0
> pkinit_init_kdc_req_context: returning reqctx at 0x1e27010
> processing KRB5_PADATA_PK_AS_REQ
> CMS Verification successful
> #0 cert= /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
> #1 cert= /DC=at/DC=bmlv/DC=3ve/DC=kerberos/CN=kerberos-DC-CA
> crypto_retrieve_X509_sans: looking for SANs in cert =
> /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
> crypto_retrieve_X509_sans: found 2 subject alt name extension(s)
> crypto_retrieve_X509_sans: SAN type = 1 expecting 0
> verify_client_san: Checking pkinit sans
> verify_client_san: no pkinit san match found
> verify_client_san: Checking upn sans
> verify_client_san: upn san match found
> verify_client_san: returning retval 0, valid_san 1
> crypto_check_cert_eku: looking for EKUs in cert =
> /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
> crypto_check_cert_eku: found eku info in the cert
> crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
> crypto_check_cert_eku: found acceptable EKU, checking for digitalSignature
> crypto_check_cert_eku: found digitalSignature KU
> crypto_check_cert_eku: returning retval 0, valid_eku 1
> verify_client_eku: returning retval 0, eku_accepted 1
> client sent dh params with 1024 bits, we require 2048

The above looks like a possible configuration problem.  For some
reason, the Windows 7 client is sending 1024 bits, while the KDC
requires 2048 bits.

> bad dh parameters
> pkinit_verify_padata failed: creating e-data
> pkinit_create_edata: creating edata for error -1765328319 (Key
> parameters not accepted)
> pkinit_fini_kdc_req_context: freeing   reqctx at 0x1e27010
> pkinit_fini_req_crypto: freeing   ctx at 0x1e2e2c0
> pkinit_verify_padata: entered!
> pkinit_find_realm_context: returning context at 0x1df1790 for realm
> 'kerberos.3ve.bmlv.at'
> pkinit_init_req_crypto: returning ctx at 0x1e2e7a0
> pkinit_init_kdc_req_context: returning reqctx at 0x1e2ca90
> processing KRB5_PADATA_PK_AS_REQ
> CMS Verification successful
> #0 cert= /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
> #1 cert= /DC=at/DC=bmlv/DC=3ve/DC=kerberos/CN=kerberos-DC-CA
> crypto_retrieve_X509_sans: looking for SANs in cert =
> /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
> crypto_retrieve_X509_sans: found 2 subject alt name extension(s)
> crypto_retrieve_X509_sans: SAN type = 1 expecting 0
> verify_client_san: Checking pkinit sans
> verify_client_san: no pkinit san match found
> verify_client_san: Checking upn sans
> verify_client_san: upn san match found
> verify_client_san: returning retval 0, valid_san 1
> crypto_check_cert_eku: looking for EKUs in cert =
> /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
> crypto_check_cert_eku: found eku info in the cert
> crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
> crypto_check_cert_eku: found acceptable EKU, checking for digitalSignature
> crypto_check_cert_eku: found digitalSignature KU
> crypto_check_cert_eku: returning retval 0, valid_eku 1
> verify_client_eku: returning retval 0, eku_accepted 1
> p is not well-known group 2 dhparameter
> good 2048 dhparams

Is the above also from the same Windows 7 client during the same
authentication attempt?


Download (untitled) 3.2k
      Tue Apr  2 06:50:42 2013  rekuread@gmail.com - Correspondence added    
     
Date: Tue, 2 Apr 2013 12:50:41 +0200
Subject: Re: [krbdev.mit.edu #7596] PKINIT should allow missing DH param Q
From: Reinhard Kugler <rekuread@gmail.com>
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
RT-Send-Cc: 

 

     
On Mon, Apr 1, 2013 at 11:27 PM, Tom Yu via RT <rt-comment@krbdev.mit.edu>wrote:

> "Reinhard Kugler via RT" <rt-comment@krbdev.mit.edu> writes:
>
> > pkinit_init_req_crypto: returning ctx at 0x1e2e2c0
> > pkinit_init_kdc_req_context: returning reqctx at 0x1e27010
> > processing KRB5_PADATA_PK_AS_REQ
> > CMS Verification successful
> > #0 cert= /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=
> p130@kerberos.3ve.bmlv.at
> > #1 cert= /DC=at/DC=bmlv/DC=3ve/DC=kerberos/CN=kerberos-DC-CA
> > crypto_retrieve_X509_sans: looking for SANs in cert =
> > /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
> > crypto_retrieve_X509_sans: found 2 subject alt name extension(s)
> > crypto_retrieve_X509_sans: SAN type = 1 expecting 0
> > verify_client_san: Checking pkinit sans
> > verify_client_san: no pkinit san match found
> > verify_client_san: Checking upn sans
> > verify_client_san: upn san match found
> > verify_client_san: returning retval 0, valid_san 1
> > crypto_check_cert_eku: looking for EKUs in cert =
> > /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
> > crypto_check_cert_eku: found eku info in the cert
> > crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
> > crypto_check_cert_eku: found acceptable EKU, checking for
> digitalSignature
> > crypto_check_cert_eku: found digitalSignature KU
> > crypto_check_cert_eku: returning retval 0, valid_eku 1
> > verify_client_eku: returning retval 0, eku_accepted 1
> > client sent dh params with 1024 bits, we require 2048
>
> The above looks like a possible configuration problem.  For some
> reason, the Windows 7 client is sending 1024 bits, while the KDC
> requires 2048 bits.
>

I didn't find how to change the dh key length on the Windows 7
I added "pkinit_dh_min_bits = 1024" to the /etc/krb5.conf
But this seens to have no effact on the behavior of the kdc.

> bad dh parameters
> > pkinit_verify_padata failed: creating e-data
> > pkinit_create_edata: creating edata for error -1765328319 (Key
> > parameters not accepted)
> > pkinit_fini_kdc_req_context: freeing   reqctx at 0x1e27010
> > pkinit_fini_req_crypto: freeing   ctx at 0x1e2e2c0
> > pkinit_verify_padata: entered!
> > pkinit_find_realm_context: returning context at 0x1df1790 for realm
> > 'kerberos.3ve.bmlv.at'
> > pkinit_init_req_crypto: returning ctx at 0x1e2e7a0
> > pkinit_init_kdc_req_context: returning reqctx at 0x1e2ca90
> > processing KRB5_PADATA_PK_AS_REQ
> > CMS Verification successful
> > #0 cert= /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=
> p130@kerberos.3ve.bmlv.at
> > #1 cert= /DC=at/DC=bmlv/DC=3ve/DC=kerberos/CN=kerberos-DC-CA
> > crypto_retrieve_X509_sans: looking for SANs in cert =
> > /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
> > crypto_retrieve_X509_sans: found 2 subject alt name extension(s)
> > crypto_retrieve_X509_sans: SAN type = 1 expecting 0
> > verify_client_san: Checking pkinit sans
> > verify_client_san: no pkinit san match found
> > verify_client_san: Checking upn sans
> > verify_client_san: upn san match found
> > verify_client_san: returning retval 0, valid_san 1
> > crypto_check_cert_eku: looking for EKUs in cert =
> > /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
> > crypto_check_cert_eku: found eku info in the cert
> > crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
> > crypto_check_cert_eku: found acceptable EKU, checking for
> digitalSignature
> > crypto_check_cert_eku: found digitalSignature KU
> > crypto_check_cert_eku: returning retval 0, valid_eku 1
> > verify_client_eku: returning retval 0, eku_accepted 1
> > p is not well-known group 2 dhparameter
> > good 2048 dhparams
>
> Is the above also from the same Windows 7 client during the same
> authentication attempt?
>

yes
I looks like the windows 7 client does two attempts before giving up.
The first is quit with "bad dh parameters" and
KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED
The second seems to succeed, but is not accepted by the windows 7 client.

I repeated the test:
- start kdc
- do a single authentication via "runas /smartcard cmd"
same result

[root@kerberos ~]# /usr/local/sbin/krb5kdc -n
pkinit_server_plugin_init: processing realm 'kerberos.3ve.bmlv.at'
pkinit_server_plugin_init_realm: initializing context at 0x1d3f820 for
realm 'kerberos.3ve.bmlv.at'
pkinit_init_plg_crypto: initializing openssl crypto context at 0x1d53f00
pkinit_init_identity_crypto: returning ctx at 0x1d556d0
pkinit_init_kdc_profile: entered for realm kerberos.3ve.bmlv.at
pkinit_init_kdc_profile: invalid value (1024) for pkinit_dh_min_bits, using
default value (2048) instead
pkinit_identity_initialize: 0x1d38200 0x1d55840 0x1d556d0
process_option_identity: processing value
'FILE:/var/kerberos/krb5kdc/kdc.pem,/var/kerberos/krb5kdc/kdckey.pem'
process_option_identity: idtype is FILE
process_option_ca_crl: processing catype ANCHORS, value
'FILE:/var/kerberos/krb5kdc/ca.pem'
crypto_load_cas_and_crls: called with idtype FILE and catype ANCHORS
pkinit_server_plugin_init_realm: returning context at 0x1d3f820 for realm '
kerberos.3ve.bmlv.at'
pkinit_server_plugin_init: returning context at 0x1d3f2b0
krb5kdc: starting...
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm '
kerberos.3ve.bmlv.at'
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm '
kerberos.3ve.bmlv.at'
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm '
kerberos.3ve.bmlv.at'
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm '
kerberos.3ve.bmlv.at'
pkinit_verify_padata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm '
kerberos.3ve.bmlv.at'
pkinit_init_req_crypto: returning ctx at 0x1d6ce70
pkinit_init_kdc_req_context: returning reqctx at 0x1d6cce0
processing KRB5_PADATA_PK_AS_REQ
CMS Verification successful
#0 cert= /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
#1 cert= /DC=at/DC=bmlv/DC=3ve/DC=kerberos/CN=kerberos-DC-CA
crypto_retrieve_X509_sans: looking for SANs in cert =
/C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
crypto_retrieve_X509_sans: found 2 subject alt name extension(s)
crypto_retrieve_X509_sans: SAN type = 1 expecting 0
verify_client_san: Checking pkinit sans
verify_client_san: no pkinit san match found
verify_client_san: Checking upn sans
verify_client_san: upn san match found
verify_client_san: returning retval 0, valid_san 1
crypto_check_cert_eku: looking for EKUs in cert =
/C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
crypto_check_cert_eku: found eku info in the cert
crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
crypto_check_cert_eku: found acceptable EKU, checking for digitalSignature
crypto_check_cert_eku: found digitalSignature KU
crypto_check_cert_eku: returning retval 0, valid_eku 1
verify_client_eku: returning retval 0, eku_accepted 1
client sent dh params with 1024 bits, we require 2048
bad dh parameters
pkinit_verify_padata failed: creating e-data
pkinit_create_edata: creating edata for error -1765328319 (Key parameters
not accepted)
pkinit_fini_kdc_req_context: freeing   reqctx at 0x1d6cce0
pkinit_fini_req_crypto: freeing   ctx at 0x1d6ce70
pkinit_verify_padata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm '
kerberos.3ve.bmlv.at'
pkinit_init_req_crypto: returning ctx at 0x1d6ada0
pkinit_init_kdc_req_context: returning reqctx at 0x1d71ae0
processing KRB5_PADATA_PK_AS_REQ
CMS Verification successful
#0 cert= /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
#1 cert= /DC=at/DC=bmlv/DC=3ve/DC=kerberos/CN=kerberos-DC-CA
crypto_retrieve_X509_sans: looking for SANs in cert =
/C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
crypto_retrieve_X509_sans: found 2 subject alt name extension(s)
crypto_retrieve_X509_sans: SAN type = 1 expecting 0
verify_client_san: Checking pkinit sans
verify_client_san: no pkinit san match found
verify_client_san: Checking upn sans
verify_client_san: upn san match found
verify_client_san: returning retval 0, valid_san 1
crypto_check_cert_eku: looking for EKUs in cert =
/C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
crypto_check_cert_eku: found eku info in the cert
crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
crypto_check_cert_eku: found acceptable EKU, checking for digitalSignature
crypto_check_cert_eku: found digitalSignature KU
crypto_check_cert_eku: returning retval 0, valid_eku 1
verify_client_eku: returning retval 0, eku_accepted 1
p is not well-known group 2 dhparameter
good 2048 dhparams
pkinit_find_realm_context: returning context at 0x1d3f820 for realm '
kerberos.3ve.bmlv.at'
pkinit_return_padata: entered!
KDC picked etype = 18
received DH key delivery AS REQ
building certificate chain
size of certificate chain = 2
cert #0: /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=dc.kerberos.3ve.bmlv.at
mech = FS
pkinit_fini_kdc_req_context: freeing   reqctx at 0x1d71ae0
pkinit_fini_req_crypto: freeing   ctx at 0x1d6ada0
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm '
kerberos.3ve.bmlv.at'
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm '
kerberos.3ve.bmlv.at'
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm '
kerberos.3ve.bmlv.at'
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm '
kerberos.3ve.bmlv.at'


krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 debug = true
 default_realm = kerberos.3ve.bmlv.at
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 1h
 forwardable = true
 allow_weak_crypto = true

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[domain_realm]
 .kerberos.3ve.bmlv.at = kerberos.3ve.bmlv.at
 kerberos.3ve.bmlv.at = kerberos.3ve.bmlv.at

[realms]
kerberos.3ve.bmlv.at = {
 kdc = dc.kerberos.3ve.bmlv.at:88
 admin_server = dc.kerberos.3ve.bmlv.at:749
 default_domain = kerberos.3ve.bmlv.at
 kadmind_port = 749
 max_life = 2h 0m 0s
 max_renewable_life = 0d 1h 0m 0s
 master_key_type = aes128-cts
 acl_file = /var/kerberos/krb5kdc/3ve-kadm5.acl
 dict_file = /usr/share/dict/words
 admin_keytab = /var/kerberos/krb5kdc/3ve-kadm5.keytab
 supported_enctypes = aes256-cts:normal aes128-cts:normal
des3-hmac-sha1:normal arcfour-hmac:normal arcfour-hmac-md5:normal
des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 pkinit_identity =
FILE:/var/kerberos/krb5kdc/kdc.pem,/var/kerberos/krb5kdc/kdckey.pem
 pkinit_anchors = FILE:/var/kerberos/krb5kdc/ca.pem
 #pkinit_eku_checking = none
 pkinit_dh_min_bits = 1024
 pkinit_allow_upn = true
 #allow_weak_crypto = true
}

Download (untitled) 10.7k
     
 
Download (untitled) 18.7k
      Tue Apr  2 06:50:42 2013  rekuread@gmail.com - Comments added    
     
Date: Tue, 2 Apr 2013 12:50:41 +0200
Subject: Re: [krbdev.mit.edu #7596] PKINIT should allow missing DH param Q
From: Reinhard Kugler <rekuread@gmail.com>
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
RT-Send-Cc: 

 

     
On Mon, Apr 1, 2013 at 11:27 PM, Tom Yu via RT <rt-comment@krbdev.mit.edu>wrote:

> "Reinhard Kugler via RT" <rt-comment@krbdev.mit.edu> writes:
>
> > pkinit_init_req_crypto: returning ctx at 0x1e2e2c0
> > pkinit_init_kdc_req_context: returning reqctx at 0x1e27010
> > processing KRB5_PADATA_PK_AS_REQ
> > CMS Verification successful
> > #0 cert= /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=
> p130@kerberos.3ve.bmlv.at
> > #1 cert= /DC=at/DC=bmlv/DC=3ve/DC=kerberos/CN=kerberos-DC-CA
> > crypto_retrieve_X509_sans: looking for SANs in cert =
> > /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
> > crypto_retrieve_X509_sans: found 2 subject alt name extension(s)
> > crypto_retrieve_X509_sans: SAN type = 1 expecting 0
> > verify_client_san: Checking pkinit sans
> > verify_client_san: no pkinit san match found
> > verify_client_san: Checking upn sans
> > verify_client_san: upn san match found
> > verify_client_san: returning retval 0, valid_san 1
> > crypto_check_cert_eku: looking for EKUs in cert =
> > /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
> > crypto_check_cert_eku: found eku info in the cert
> > crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
> > crypto_check_cert_eku: found acceptable EKU, checking for
> digitalSignature
> > crypto_check_cert_eku: found digitalSignature KU
> > crypto_check_cert_eku: returning retval 0, valid_eku 1
> > verify_client_eku: returning retval 0, eku_accepted 1
> > client sent dh params with 1024 bits, we require 2048
>
> The above looks like a possible configuration problem.  For some
> reason, the Windows 7 client is sending 1024 bits, while the KDC
> requires 2048 bits.
>

I didn't find how to change the dh key length on the Windows 7
I added "pkinit_dh_min_bits = 1024" to the /etc/krb5.conf
But this seens to have no effact on the behavior of the kdc.

> bad dh parameters
> > pkinit_verify_padata failed: creating e-data
> > pkinit_create_edata: creating edata for error -1765328319 (Key
> > parameters not accepted)
> > pkinit_fini_kdc_req_context: freeing   reqctx at 0x1e27010
> > pkinit_fini_req_crypto: freeing   ctx at 0x1e2e2c0
> > pkinit_verify_padata: entered!
> > pkinit_find_realm_context: returning context at 0x1df1790 for realm
> > 'kerberos.3ve.bmlv.at'
> > pkinit_init_req_crypto: returning ctx at 0x1e2e7a0
> > pkinit_init_kdc_req_context: returning reqctx at 0x1e2ca90
> > processing KRB5_PADATA_PK_AS_REQ
> > CMS Verification successful
> > #0 cert= /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=
> p130@kerberos.3ve.bmlv.at
> > #1 cert= /DC=at/DC=bmlv/DC=3ve/DC=kerberos/CN=kerberos-DC-CA
> > crypto_retrieve_X509_sans: looking for SANs in cert =
> > /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
> > crypto_retrieve_X509_sans: found 2 subject alt name extension(s)
> > crypto_retrieve_X509_sans: SAN type = 1 expecting 0
> > verify_client_san: Checking pkinit sans
> > verify_client_san: no pkinit san match found
> > verify_client_san: Checking upn sans
> > verify_client_san: upn san match found
> > verify_client_san: returning retval 0, valid_san 1
> > crypto_check_cert_eku: looking for EKUs in cert =
> > /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
> > crypto_check_cert_eku: found eku info in the cert
> > crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
> > crypto_check_cert_eku: found acceptable EKU, checking for
> digitalSignature
> > crypto_check_cert_eku: found digitalSignature KU
> > crypto_check_cert_eku: returning retval 0, valid_eku 1
> > verify_client_eku: returning retval 0, eku_accepted 1
> > p is not well-known group 2 dhparameter
> > good 2048 dhparams
>
> Is the above also from the same Windows 7 client during the same
> authentication attempt?
>

yes
I looks like the windows 7 client does two attempts before giving up.
The first is quit with "bad dh parameters" and
KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED
The second seems to succeed, but is not accepted by the windows 7 client.

I repeated the test:
- start kdc
- do a single authentication via "runas /smartcard cmd"
same result

[root@kerberos ~]# /usr/local/sbin/krb5kdc -n
pkinit_server_plugin_init: processing realm 'kerberos.3ve.bmlv.at'
pkinit_server_plugin_init_realm: initializing context at 0x1d3f820 for
realm 'kerberos.3ve.bmlv.at'
pkinit_init_plg_crypto: initializing openssl crypto context at 0x1d53f00
pkinit_init_identity_crypto: returning ctx at 0x1d556d0
pkinit_init_kdc_profile: entered for realm kerberos.3ve.bmlv.at
pkinit_init_kdc_profile: invalid value (1024) for pkinit_dh_min_bits, using
default value (2048) instead
pkinit_identity_initialize: 0x1d38200 0x1d55840 0x1d556d0
process_option_identity: processing value
'FILE:/var/kerberos/krb5kdc/kdc.pem,/var/kerberos/krb5kdc/kdckey.pem'
process_option_identity: idtype is FILE
process_option_ca_crl: processing catype ANCHORS, value
'FILE:/var/kerberos/krb5kdc/ca.pem'
crypto_load_cas_and_crls: called with idtype FILE and catype ANCHORS
pkinit_server_plugin_init_realm: returning context at 0x1d3f820 for realm '
kerberos.3ve.bmlv.at'
pkinit_server_plugin_init: returning context at 0x1d3f2b0
krb5kdc: starting...
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm '
kerberos.3ve.bmlv.at'
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm '
kerberos.3ve.bmlv.at'
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm '
kerberos.3ve.bmlv.at'
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm '
kerberos.3ve.bmlv.at'
pkinit_verify_padata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm '
kerberos.3ve.bmlv.at'
pkinit_init_req_crypto: returning ctx at 0x1d6ce70
pkinit_init_kdc_req_context: returning reqctx at 0x1d6cce0
processing KRB5_PADATA_PK_AS_REQ
CMS Verification successful
#0 cert= /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
#1 cert= /DC=at/DC=bmlv/DC=3ve/DC=kerberos/CN=kerberos-DC-CA
crypto_retrieve_X509_sans: looking for SANs in cert =
/C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
crypto_retrieve_X509_sans: found 2 subject alt name extension(s)
crypto_retrieve_X509_sans: SAN type = 1 expecting 0
verify_client_san: Checking pkinit sans
verify_client_san: no pkinit san match found
verify_client_san: Checking upn sans
verify_client_san: upn san match found
verify_client_san: returning retval 0, valid_san 1
crypto_check_cert_eku: looking for EKUs in cert =
/C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
crypto_check_cert_eku: found eku info in the cert
crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
crypto_check_cert_eku: found acceptable EKU, checking for digitalSignature
crypto_check_cert_eku: found digitalSignature KU
crypto_check_cert_eku: returning retval 0, valid_eku 1
verify_client_eku: returning retval 0, eku_accepted 1
client sent dh params with 1024 bits, we require 2048
bad dh parameters
pkinit_verify_padata failed: creating e-data
pkinit_create_edata: creating edata for error -1765328319 (Key parameters
not accepted)
pkinit_fini_kdc_req_context: freeing   reqctx at 0x1d6cce0
pkinit_fini_req_crypto: freeing   ctx at 0x1d6ce70
pkinit_verify_padata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm '
kerberos.3ve.bmlv.at'
pkinit_init_req_crypto: returning ctx at 0x1d6ada0
pkinit_init_kdc_req_context: returning reqctx at 0x1d71ae0
processing KRB5_PADATA_PK_AS_REQ
CMS Verification successful
#0 cert= /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
#1 cert= /DC=at/DC=bmlv/DC=3ve/DC=kerberos/CN=kerberos-DC-CA
crypto_retrieve_X509_sans: looking for SANs in cert =
/C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
crypto_retrieve_X509_sans: found 2 subject alt name extension(s)
crypto_retrieve_X509_sans: SAN type = 1 expecting 0
verify_client_san: Checking pkinit sans
verify_client_san: no pkinit san match found
verify_client_san: Checking upn sans
verify_client_san: upn san match found
verify_client_san: returning retval 0, valid_san 1
crypto_check_cert_eku: looking for EKUs in cert =
/C=AT/ST=Austria/L=Vienna/O=kerberos/CN=p130@kerberos.3ve.bmlv.at
crypto_check_cert_eku: found eku info in the cert
crypto_check_cert_eku: checking eku 1 of 3, allow_secondary = 0
crypto_check_cert_eku: found acceptable EKU, checking for digitalSignature
crypto_check_cert_eku: found digitalSignature KU
crypto_check_cert_eku: returning retval 0, valid_eku 1
verify_client_eku: returning retval 0, eku_accepted 1
p is not well-known group 2 dhparameter
good 2048 dhparams
pkinit_find_realm_context: returning context at 0x1d3f820 for realm '
kerberos.3ve.bmlv.at'
pkinit_return_padata: entered!
KDC picked etype = 18
received DH key delivery AS REQ
building certificate chain
size of certificate chain = 2
cert #0: /C=AT/ST=Austria/L=Vienna/O=kerberos/CN=dc.kerberos.3ve.bmlv.at
mech = FS
pkinit_fini_kdc_req_context: freeing   reqctx at 0x1d71ae0
pkinit_fini_req_crypto: freeing   ctx at 0x1d6ada0
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm '
kerberos.3ve.bmlv.at'
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm '
kerberos.3ve.bmlv.at'
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm '
kerberos.3ve.bmlv.at'
pkinit_server_get_edata: entered!
pkinit_find_realm_context: returning context at 0x1d3f820 for realm '
kerberos.3ve.bmlv.at'


krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 debug = true
 default_realm = kerberos.3ve.bmlv.at
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 1h
 forwardable = true
 allow_weak_crypto = true

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[domain_realm]
 .kerberos.3ve.bmlv.at = kerberos.3ve.bmlv.at
 kerberos.3ve.bmlv.at = kerberos.3ve.bmlv.at

[realms]
kerberos.3ve.bmlv.at = {
 kdc = dc.kerberos.3ve.bmlv.at:88
 admin_server = dc.kerberos.3ve.bmlv.at:749
 default_domain = kerberos.3ve.bmlv.at
 kadmind_port = 749
 max_life = 2h 0m 0s
 max_renewable_life = 0d 1h 0m 0s
 master_key_type = aes128-cts
 acl_file = /var/kerberos/krb5kdc/3ve-kadm5.acl
 dict_file = /usr/share/dict/words
 admin_keytab = /var/kerberos/krb5kdc/3ve-kadm5.keytab
 supported_enctypes = aes256-cts:normal aes128-cts:normal
des3-hmac-sha1:normal arcfour-hmac:normal arcfour-hmac-md5:normal
des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 pkinit_identity =
FILE:/var/kerberos/krb5kdc/kdc.pem,/var/kerberos/krb5kdc/kdckey.pem
 pkinit_anchors = FILE:/var/kerberos/krb5kdc/ca.pem
 #pkinit_eku_checking = none
 pkinit_dh_min_bits = 1024
 pkinit_allow_upn = true
 #allow_weak_crypto = true
}

Download (untitled) 10.7k
     
 
Download (untitled) 18.7k
      Wed Apr  3 06:05:09 2013  rekuread@gmail.com - Comments added    
     
Date: Wed, 3 Apr 2013 12:05:08 +0200
Subject: Re: [krbdev.mit.edu #7596] PKINIT should allow missing DH param Q
From: Reinhard Kugler <rekuread@gmail.com>
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
RT-Send-Cc: 

 

     
I temporarily removed the check of the dh key length
in pkinit_crypto_openssl.c

    /* KDC SHOULD check to see if the key parameters satisfy its policy */
    dh_prime_bits = BN_num_bits(dh->p);
    /*if (minbits && dh_prime_bits < minbits) {
        pkiDebug("client sent dh params with %d bits, we require %d\n",
                 dh_prime_bits, minbits);
        goto cleanup;
    }*/

pkinit succeeded and windows was able to acquire a TGT

Download (untitled) 444b
     
 
Download (untitled) 652b
      Wed Apr  3 06:05:09 2013  rekuread@gmail.com - Correspondence added    
     
Date: Wed, 3 Apr 2013 12:05:08 +0200
Subject: Re: [krbdev.mit.edu #7596] PKINIT should allow missing DH param Q
From: Reinhard Kugler <rekuread@gmail.com>
To: rt-comment@krbdev.mit.edu, rt@krbdev.mit.edu
RT-Send-Cc: 

 

     
I temporarily removed the check of the dh key length
in pkinit_crypto_openssl.c

    /* KDC SHOULD check to see if the key parameters satisfy its policy */
    dh_prime_bits = BN_num_bits(dh->p);
    /*if (minbits && dh_prime_bits < minbits) {
        pkiDebug("client sent dh params with %d bits, we require %d\n",
                 dh_prime_bits, minbits);
        goto cleanup;
    }*/

pkinit succeeded and windows was able to acquire a TGT

Download (untitled) 444b
     
 
Download (untitled) 652b
      Wed Apr  3 10:13:55 2013  tlyu - Correspondence added    
     
To: rt@krbdev.MIT.EDU
Subject: Re: [krbdev.mit.edu #7596] PKINIT should allow missing DH param Q
From: Tom Yu <tlyu@MIT.EDU>
Date: Wed, 03 Apr 2013 10:13:36 -0400
RT-Send-Cc: 

"Reinhard Kugler via RT" <rt-comment@krbdev.mit.edu> writes:

> I temporarily removed the check of the dh key length
> in pkinit_crypto_openssl.c
>
>     /* KDC SHOULD check to see if the key parameters satisfy its policy */
>     dh_prime_bits = BN_num_bits(dh->p);
>     /*if (minbits && dh_prime_bits < minbits) {
>         pkiDebug("client sent dh params with %d bits, we require %d\n",
>                  dh_prime_bits, minbits);
>         goto cleanup;
>     }*/
>
> pkinit succeeded and windows was able to acquire a TGT

Thanks for the additional information.  Based on your previous logs,
it looks like the Windows client makes the following requests:

1. AS-REQ, no preauth -> KRB-ERROR, additional preauth needed

2. AS-REQ, PKINIT, 1024-bit DH -> KRB-ERROR, bad key params

3. AS-REQ, PKINIT, 2048-bit DH -> AS-REP

4. AS-REQ, no preauth or unknown preauth -> KRB-ERROR, additional
   preauth needed

Windows is possibly failing to handle the DH parameter negotiation
correctly.  Interestingly, Windows is including the PKINIT special
enctypes on request #4, but probably omitting the actual PKINIT
preauth.

Also, it seems that the compile-time constant that establishes the
default DH modulus size serves as a lower bound on the configurable DH
modulus size, so the configuration setting "pkinit_dh_min_bits = 1024"
has no effect because the compiled-time constant is 2048:

    pkinit_init_kdc_profile: invalid value (1024) for
    pkinit_dh_min_bits, using default value (2048) instead

This happens in pkinit_srv.c:pkinit_init_kdc_profile().

Getting more detailed trace information from the Windows client would
be useful, but I think Windows 7 might have made that more difficult
(changed trace logging to a proprietary binary format?).  I will look
around to see what I can find on this topic.


Download (untitled) 1.7k
      Fri Apr 12 21:54:12 2013  tlyu - Target_Version 1.11.3 added    
      Fri Apr 12 21:54:12 2013  tlyu - Status changed from open to review    
      Fri Apr 12 21:54:12 2013  tlyu - Tags pullup added    
      Fri Apr 12 21:54:12 2013  tlyu - Correspondence added    
     
From: tlyu@mit.edu
Subject: git commit


Ignore missing Q in dh_params

Some implementations don't send the required Q value in dh_params, so
allow it to be absent.

https://github.com/krb5/krb5/commit/ed77a25c53ed6afd41372838f205a98a561a89fb
Author: Tom Yu <tlyu@mit.edu>
Commit: ed77a25c53ed6afd41372838f205a98a561a89fb
Branch: master
 src/plugins/preauth/pkinit/pkinit_crypto_openssl.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)


Download (untitled) 415b
      Thu Apr 25 14:22:56 2013  tlyu - Status changed from review to resolved    
      Thu Apr 25 14:22:56 2013  tlyu - Version_Fixed 1.11.3 added    
      Thu Apr 25 14:22:56 2013  tlyu - Correspondence added    
     
From: tlyu@mit.edu
Subject: git commit


Ignore missing Q in dh_params

Some implementations don't send the required Q value in dh_params, so
allow it to be absent.

(cherry picked from commit ed77a25c53ed6afd41372838f205a98a561a89fb)

https://github.com/krb5/krb5/commit/5d2c49df555fbf56d3b15a9096cad729525c5f74
Author: Tom Yu <tlyu@mit.edu>
Commit: 5d2c49df555fbf56d3b15a9096cad729525c5f74
Branch: krb5-1.11
 src/plugins/preauth/pkinit/pkinit_crypto_openssl.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)


Download (untitled) 488b
      Wed Dec 16 18:03:00 2015  tlyu - Keyword pullup deleted