ports/159943: openldap slapd ignores rc,conf slapd_krt5_ktname

Sat Aug 20 18:30:13 UTC 2011

>Number:         159943
>Category:       ports
>Synopsis:       openldap slapd ignores rc,conf slapd_krt5_ktname
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Aug 20 18:30:09 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator:     Harry Coin
>Release:        8.2-STABLE
>Organization:
>Environment:
FreeBSD fs1.quietfountain.com 8.2-STABLE FreeBSD 8.2-STABLE #0: Tue Aug 16 17:49:27 CDT 2011     root at fs1.quietfountain.com:/usr/obj/usr/src/sys/fs1-amd64-8-stable  amd64
>Description:
This report is about a bug leading to a security hole and is a problem for those who want to use kerberos/heimdal to authenticate, and openldap via sasl/gssapi/kerberos libraries to provide the uid, gid and all the nss related information -- where the openldap slapd is also running on the same box as a kerberos server needing the host/... key in krb5.conf. 

Because init_context_from_config_file(krb5_context context) in /usr/src/crypto/heimdal/lib/krb5/context.c has:
..
/* default keytab name */
    tmp = NULL;
    if(!issuid())   // maps to issetugid() in freebsd
        tmp = getenv("KRB5_KTNAME");
    if(tmp != NULL)
        context->default_keytab = tmp;
..

When the openldap daemon is run in /usr/local/etc/rc.d/slapd --> /usr/local/libexec/slapd -u ldap -g ldap

The rc.conf option slapd_krt5_ktname which sets KRB5_KTNAME in the environment, is ignored by the ldap server.

That makes it impossible to put the kerberos key ldap/box.domain.com/REALM in a different key file than /etc/krb5.keytab.   That's a security problem because kerberos wants to authenticate between the KDC and the key server with   host/box.domain.com/REALM in that /etc/krb5.keytab same file. 

By forcing both those keys to be in the same file, you have to give the openldap slapd daemon read access to the krb5.keytab file.  So, compromise ldap (not exactly the most hardened app out there), and you get to be a key server... it all fails.

>How-To-Repeat:
Start with a working ldap sasl gssapi kerberos/heimdal system verify ldapwhoami works on the kerberos server (also the openldap slapd server).   Use ktutil to remove the ldap/<yourhost>.<yourdomain..>@YOURREALM key from /etc/krb5.conf.  Set 0600 security on /etc/krb5.conf which should at this point be owned by root:wheel and have only the host/<yourhost>.<yourdomain> .. key in it.   Use kadmin and ext to put the key for the principal ldap/host.domain... etc into /etc/krb5.ldap.keytab.   chown ldap:ldap that file which should have 0600 security.  set the rc.conf option slapd_krt5_ktname="/etc/krb5.ldap.keytab".  /usr/local/etc/rc.d/slapd restart or reboot.

Notice now the ldapwhoami fails with 

SASL(-1): generic failure: GSSAPI Error: No
credentials were supplied, or the credentials were unavailable or inaccessible.
(unknown mech-code 0 for mech unknown)

Use ktutil to put the ldap/host.domain.com at REALM key in a file other than /etc/krb.keytab.  Use the rc.conf option slapd_krt5_ktname=... to point to that file.  Start slapd.  On another system, authenticate with kinit, set up /home/user/ldaprc and so forth, do a ldapwhoami.
>Fix:
This is not a fix.  It is however a decent work-around. 

The challenge to security is having both the ldap/... and host/... key in the same /etc/krb5.keytab file allowing ldap's slapd access to the host key.  The preferred, clean answer is to move the ldap key into it's own ldap.keytab in /usr/local/etc/openldap/krb5.ldap.keytab file.  The above bug makes it impossible for the system to access any other than /etc/krb5.keytab.

The workaround is instead of moving the ldap/... key out of /etc/krb5.keytab and into its own file, move the host key out of there and edit /etc/krb5.conf to tell kerberos servers where to find the new host keytab file.   So in the section in /etc/krb5.conf add

[libdefaults]
   default_keytab = /etc/krb5.host.keytab

Then, rename /etc/krb5.keytab to /etc/krb5.host.keytab.
Chmod 0600 /etc/krb5.host.keytab
chown root:wheel /etc/krb5.host.keytab

use ktutil remove -k /etc/krb5.host.keytab ldap   (and anything else other than the host/... keys).  Use kadmin to create /etc/krb5.conf with only the ldap key in it, then chown ldap:ldap /etc/krb5.conf.

ldapwhoami then works once again, and the host key is separate from the ldap key.

>Release-Note:
>Audit-Trail:
>Unformatted: