+
Skip to content

FIPS-enabled container Kerberos authentication fails because of user salt length requirements #38840

New issue
New issue
Closed as not planned
Closed as not planned
FIPS-enabled container Kerberos authentication fails because of user salt length requirements#38840
Labels
area/authenticationIndicates an issue on Authentication areahelp wantedkind/bugCategorizes a PR related to a bugpriority/lowstatus/auto-bumpstatus/auto-expirestatus/expired-by-botteam/core-clients
@dcapaccio

Description

@dcapaccio
dcapaccio
opened on Apr 10, 2025

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

authentication

Describe the bug

During Keycloak browser interface log-in, Kerberos authentication fails for any user name + domain shorter than 14 characters. (e.g. user@site logging into site.com domain)

I traced this down as I was receiving an error message when a user attempted to log in to a specific domain:

Uncaught server error: org.bouncycastle.crypto.fips.FipsUnapprovedOperationError: salt must be at least 128 bits

Enabling further logging showed the following for what the "salt" was:

>>>Pre-Authentication Data:
                PA-DATA type = 19
                PA-ETYPE-INFO2 etype = 18, salt = DEPOT.NAMEusera, s2kparams = null

I had a hunch, so I created a user with a longer name "longname" in the domain DEPOT.NAME and it worked flawlessly. The "salt" in this case is DEPOT.NAMElongname which worked fine.

Version

26.0

Regression

  • The issue is a regression

Expected behavior

Expected behavior is that a user in a domain can have any length username/domain and not fail authentication on FIPS-enabled systems.

Actual behavior

Usernames + FQDN of less than 14 characters (128 bits hashed) fail. (user@site.com would not work)

How to Reproduce?

Follow FIPS configuration documentation provided to start a FIPS-approved version of keycloak container on a RHEL9 system that is FIPS-enabled and FIPS-strict. Create a domain with a FQDN and a user in that domain that are both totaling length < 14. Configure RHEL9 system to use Kerberos and join domain. Enable Kerberos User Federation in Keycloak. Log-in to the web interface with the username and domain.

Anything else?

Unfortunately I can't provide the logs due to it occurring on an air-gapped network.

The issue may be as simple as improving the documentation to be clearer about a setting that I'm missing, or it could be more complicated as making the "salt" that is generated in the KDC configuration be a minimum of 14 characters so that the FIPS-approved hashing algorithms work with shorter user+domain combos.

I noticed that in the documentation for the fips guide that there's a section for User passwords being longer than 14 characers. It suggests using the option --spi-password-hashing-pbkdf2-sha512-max-padding-length=14 Is there an option like that for user hashing?

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/authenticationIndicates an issue on Authentication areahelp wantedkind/bugCategorizes a PR related to a bugpriority/lowstatus/auto-bumpstatus/auto-expirestatus/expired-by-botteam/core-clients

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载