[39436] in Kerberos

home help back first fref pref prev next nref lref last post

recent certificate failure for pkinit

daemon@ATHENA.MIT.EDU (Matt Zagrabelny via Kerberos)
Mon Jul 8 14:55:05 2024

MIME-Version: 1.0
Date: Mon, 8 Jul 2024 13:54:40 -0500
Message-ID: <CAOLfK3XsL_QKci34mgeWdpra6Fr3AbDfiMPm+ufd0P2L4-DshA@mail.gmail.com>
To: kerberos <kerberos@mit.edu>
From: Matt Zagrabelny via Kerberos <kerberos@mit.edu>
Reply-To: Matt Zagrabelny <mzagrabe@d.umn.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Greetings Kerberos-users,

I've been successfully using OTP and pkinit for the past year or so. Within
the last week, or so, it has started to fail with:

client:
$ /usr/bin/kinit -n -c /tmp/.kerberos_cache
kinit: Preauthentication failed while getting initial credentials

KDC:
KDC_RETURN_PADATA: WELLKNOWN/ANONYMOUS@EXAMPLE.COM for krbtgt/
EXAMPLE.COM@EXAMPLE.COM, Failed to verify own certificate (depth 0): unable
to get local issuer certificate

I've looked at the KDC and CA certs and their expiration dates are still
valid.

Looking at the system, the packages have recently been updated due to
Debian patching the krb5 packages for a CVE:

krb5 (1.20.1-2+deb12u2) bookworm-security; urgency=high

  * CVE-2024-37370: an unauthenticated attacker can modify the
    extra count in an RFC 4121 GSS token, causing the token to appear
    truncated.
  *  CVE-2024-37371: an attacker can cause invalid memory reads by
    sending an invalid GSS token.

 -- Sam Hartman <hartmans@debian.org>  Mon, 01 Jul 2024 11:31:35 -0600

I've tried to downgrade the packages, but the error persists.

I have enabled tracing via the KRB5_TRACE=/dev/stdout variable, for both
the client and KDC. Nothing really stands out.

Does anyone have any ideas about where to look next?

Thanks for the help!

-m
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post