KRB5: read keytab copy in offline mode too#8671
KRB5: read keytab copy in offline mode too#8671alexey-tikhonov wants to merge 1 commit intoSSSD:masterfrom
Conversation
The process can transition from offline pre-auth to online auth within the same invocation.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request modifies the privileged_krb5_setup function in krb5_child.c to allow keytab setup even when offline, while adding a guard to skip FAST configuration in offline mode. Feedback suggests that skipping FAST setup entirely when offline could lead to security issues or authentication failures if the process transitions to online mode later, as the FAST options would not be properly initialized.
| } | ||
|
|
||
| if (kr->fast_val != K5C_FAST_NEVER) { | ||
| if (!offline && kr->fast_val != K5C_FAST_NEVER) { |
There was a problem hiding this comment.
The addition of the !offline guard here prevents FAST from being configured if the krb5_child process starts in offline mode. While this avoids a failing network operation during initial setup, it creates a problem for the transition to online mode mentioned in the PR description. If the process transitions to online mode later (e.g., via k5c_send_and_recv), it will attempt authentication without FAST being configured in kr->options. This is particularly problematic if kr->fast_val == K5C_FAST_DEMAND, as the authentication might proceed insecurely (without FAST) if the KDC allows it, or fail unexpectedly. Consider performing a partial FAST setup (e.g., setting the FAST flags in kr->options) even when offline, or ensuring that FAST setup is re-evaluated during the transition to online mode in k5c_setup.
There was a problem hiding this comment.
@sumit-bose, what would you say?
Patch is triggered by https://bugzilla.redhat.com/show_bug.cgi?id=2464782
There was a problem hiding this comment.
I mean, that's not introduced by this patch, but is it worth fixing?
There was a problem hiding this comment.
Hi,
thank you for covering this use case. But I wonder if it wouldn't be better to just not keep krb5_child running when offline. The reason to keep krb5_child running is to keep the context/session to the KDC, especially for authentication types where this is required. Since there is no context/session if krb5_child is offline during SSS_PAM_PREAUTH I think krb5_child can just stop.
bye,
Sumit
There was a problem hiding this comment.
if
krb5_childis offline duringSSS_PAM_PREAUTHI thinkkrb5_childcan just stop.
What krb5_child is expected to do in this case - SSS_PAM_PREAUTH & offline?
There was a problem hiding this comment.
I mean currently it tries tgt_req_child() without checking offline flag:
sssd/src/providers/krb5/krb5_child.c
Line 4476 in e5b6597
In theory if SSSD is offline this doesn't make sense.
But practically in this specific case - https://bugzilla-attachments.redhat.com/attachment.cgi?id=2139368 - situation is different:
[unpack_buffer] (0x0100): [RID#632] cmd [249 (pre-auth)] uid [1367600004] gid [1367600004] validate [true] enterprise principal [false] offline [true] UPN [james@CB.ETTLE.ORG.UK]
[unpack_buffer] (0x0100): [RID#632] ccname: [KCM:] old_ccname: [KCM:] keytab: [/etc/krb5.keytab]
[k5c_ccache_check] (0x4000): [RID#632] Old ccache is [KCM:] and is active and TGT is valid.
[k5c_ccache_check] (0x4000): [RID#632] Reusing old ccache [KCM:]
[main] (0x0400): [RID#632] Will perform pre-auth
[tgt_req_child] (0x1000): [RID#632] Attempting to get a TGT
[get_and_save_tgt] (0x0400): [RID#632] Attempting kinit for realm [CB.ETTLE.ORG.UK]
[sss_krb5_auth_methods_request] (0x4000): [RID#632] Got request [password].
-- KDC is actually reachable.
2 participants
The process can transition from offline pre-auth to online auth within the same invocation.