Bug#932000: libgssapi-krb5-2: gss_krb5int_set_allowable_enctypes breaks NFSv4 after removal of deprecated DES enctypes in 1.17-4

Sat, 13 Jul 2019 08:48:40 -0700 

Package: libgssapi-krb5-2
Version: 1.17-3
Severity: important

Dear Maintainer,

with  the recent  update of  the krb5  Debian packages  (1.17-4),
support for deprecated DES types was removed.  However, the linux
kernel is using a hard-coded list of encryption types which still
contain  DES.  By  this the  current krb5/gss/nfs  implementation
cause fails of NFSv4 mounts.

This is the sequence of failing calls according to my understanding:

Short version:

  * Linux Kernel nfs/gss/krb5 functions  use hard-coded list with
    some (now) invalid enctypes: "18,17,16,23,3,1,2"

  * krb5      machine     context      creation     fails      in
    gss_krb5int_set_allowable_enctypes since it  fails as soon as
    a  single enctype  (namely types  1, 2,  3 received  from the
    kernel)  is not  valid  instead of  filtering out  deprecated
    ones.

Long version:

*  Linux Kernel creates the gss  rpc message with hard-coded list
   of encryption  types. Types  3,1,2 are  not supported  by krb5
   debian packages any more.

        ./include/linux/sunrpc/gss_krb5_enctypes.h:#define
KRB5_SUPPORTED_ENCTYPES "18,17,16,23,3,1,2"
        ./net/sunrpc/auth_gss/gss_krb5_mech.c:  .gm_upcall_enctypes =
KRB5_SUPPORTED_ENCTYPES
        ./net/sunrpc/auth_gss/auth_gss.c:
                     gss_encode_v1_msg(...)  {
                        [...]
                        scnprintf(p, buflen, "enctypes=%s ",
mech->gm_upcall_enctypes)


*  gss rpc receiver:  (/usr/sbin/rpc.gssd , package nfs-common)
   receives the enctype list and later fails when calling krb5 library
functions

        Creation of machine context fails:

        ./utils/gssd/gssd_proc.c:
              handle_gssd_upcall  receives enctypes string from kernel:

              Jan 01 00:00:00 hostname rpc.gssd[1234]: #012handle_gssd_upcall:
'mech=krb5 uid=0 service=* enctypes=18,17,16,23,3,1,2 ' (nfs/clnt45)

              ==> global list "krb5_enctypes" is initialized with
              list received from kernel

        ./utils/gssd/gssd_proc.c:

              Jan 01 00:00:00 hostname rpc.gssd[1234]: WARNING: Failed to
create machine krb5 context with ...

              handle_krb5_upcall
              --> process_krb5_upcall
              --> krb5_use_machine_creds
              --> create_auth_rpc_client
              --> create_auth_rpc_client
              --> limit_krb5_enctypes (fails)

        ./util/gssd/krb5_util.c:
              limit_krb5_enctypes uses global list in krb5_enctypes received
from kernel (see above)
              --> gss_set_allowable_enctypes
              --> gss_krb5_set_allowable_enctypes (fails) in package krb5 (see
below)

              Jan 01 00:00:00 hostname rpc.gssd[1234]: INFO:
limit_krb5_enctypes sees krb5_enctypes = 0x12345678, size 7,
limit_to_legacy_enctypes = 0
              Jan 01 00:00:00 hostname rpc.gssd[1234]:
used_enctypes[0] = 18
              Jan 01 00:00:00 hostname rpc.gssd[1234]:
used_enctypes[1] = 17
              Jan 01 00:00:00 hostname rpc.gssd[1234]:
used_enctypes[2] = 16
              Jan 01 00:00:00 hostname rpc.gssd[1234]:
used_enctypes[3] = 23
              Jan 01 00:00:00 hostname rpc.gssd[1234]:
used_enctypes[4] = 3
              Jan 01 00:00:00 hostname rpc.gssd[1234]:
used_enctypes[5] = 1
              Jan 01 00:00:00 hostname rpc.gssd[1234]:
used_enctypes[6] = 2

    krb5 package finally causes the actual fail:

         gss_krb5_set_allowable_enctypes
         --> ...
         --> gss_krb5int_set_allowable_enctypes (fails,
./src/lib/gssapi/krb5/set_allowable_enctypes.c)

             * checks if every enctype is valid
             * fully fails if any enctype is invalid

             * does  NOT  filter  for valid  types  and  silently
               discards invalid ones

Though I'm  not an expert  in krb5/gss/nfs  and how which  of the
three involved  packages should act,  I'd guess that  rather than
changing the linux kernel one  of the two following options might
be reasonable:

* The  nfs  packages could  filter  out  invalid enctypes  before
  calling gss_krb5_set_allowable_enctypes

* The          krb5         package          could         modify
  gss_krb5int_set_allowable_enctypes in order  to ignore / filter
  out deprecated enctypes.

Would any further option possible be possible? I could not find a
related change in upstream git of krb5.

For now, I'm  forced to downgrade all krb5  related packages from
1.17-4 to 1.17-3 to make NFSv4 working again.

With best regards and many thx for your support!

  Martin



-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-5-amd64 (SMP w/6 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:de (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libgssapi-krb5-2 depends on:
ii  libc6            2.28-10
ii  libcom-err2      1.45.2-1
ii  libk5crypto3     1.17-3
ii  libkeyutils1     1.6-6
ii  libkrb5-3        1.17-3
ii  libkrb5support0  1.17-3

libgssapi-krb5-2 recommends no packages.

Versions of packages libgssapi-krb5-2 suggests:
pn  krb5-doc   <none>
ii  krb5-user  1.17-3

-- no debconf information

Reply via email to