SSH 2FA (password + totp)
by Kjell Cornelius Nicolaysen
Hey,
So I am trying to implement TOTP+password for SSH on a server. In the
past its been as simple as using google authenticatior but seeing as how
we have a shiny FreeIPA server...
Created a user, then gave them a TOTP token (synched and tested that it
works by logging into the web ui). But I'm stuck at the correct way to
implement this on the SSH server.
Found the earlier thread[1] and got some pointers.
sshd config:
ChallengeResponseAuthentication yes
AuthenticationMethods keyboard-interactive
If I do not define password/otp for the host via the IPA web interface,
login works fine with password. If I set it to password/otp only it fails.
Looking at journalctl -xeu ssh.service there clearly is some issue.
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=192.168.31.102 user=kjell
pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=192.168.31.102 user=kjell
pam_sss(sshd:auth): received for user kjell: 7 (Authentication failure)
error: PAM: Authentication failure for kjell from 192.168.31.102
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=192.168.31.102 user=kjell
pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=192.168.31.102 user=kjell
pam_sss(sshd:auth): received for user kjell: 4 (System error)
error: PAM: Authentication failure for kjell from 192.168.31.102
Postponed keyboard-interactive for kjell from 192.168.31.102 port 38832
ssh2 [preauth]
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=192.168.31.102 user=kjell
pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=192.168.31.102 user=kjell
pam_sss(sshd:auth): received for user kjell: 4 (System error)
error: PAM: Authentication failure for kjell from 192.168.31.102
Failed keyboard-interactive/pam for kjell from 192.168.31.102 port 38832
ssh2
Connection closed by authenticating user kjell 192.168.31.102 port 38832
[preauth]
Tried giving my password, and my password+otp (without the '+'). But
nothing works.
Anyone got any pointers or see any obvious mistakes ?
1:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
--
Mvh,
Kjell C. Nicolaysen
PGP Public key available on request.
Current key (at time of this email) fingerprint:
3F59 7410 AFD5 FC22 F2F1 EEC9 980A 8C9E C126 6716
6 days, 13 hours
Installing Third-Party Certificates-Help
by Polavarapu Manideep Sai
Hi Team,
We need your help or support
I have a master IPA server and 2 Replica IPA Servers, i want to install third party certificates in my setup
a. master.ipa.example.com
b. replica1.ipa.example.com
c. replica2.ipa.example.com
1. Generated new CSR/wildcard certificate on master IPA server for the domain "*.ipa.example.com" and shared to third party vendor and they have shared two zip files one for apache and other for tomcat as shown below, i see crt and pem files in zip files as shown below after unzip
a. _.ipa.onmobile.com_Apache.zip
b. _.ipa.onmobile.com_TOMCAT.zip
unzipped:
[root@dir01 tmp]# tree Apache/
Apache/
├── 1f1f7ab616938168.crt
├── 1f1f7ab616938168.pem
├── gd_bundle-g2-g1.crt
└── _.ipa.onmobile.com_Apache.zip
0 directories, 4 files
[root@dir01 tmp]# tree Tomcat/
Tomcat/
├── 1f1f7ab616938168.crt
├── 1f1f7ab616938168.pem
├── gd_bundle-g2-g1.crt
├── gdig2.crt.pem
└── _.ipa.onmobile.com_TOMCAT.zip
0 directories, 5 files
2. Followed the Redhat documentation but not understood which of the following one is applicable in my case for the received certificates
Installing Third-Party Certificates for HTTP or LDAP
Installing a CA Certificate Manually
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
Can you please let us know the step by step procedure that how to install the certificates
can you please also comment on below query
3. If i install the certificate will it get replaced in "/etc/pki/pki-tomcat/alias/" database as well? along with httpd and dirsrv databases ?
/etc/pki/pki-tomcat/alias/
/etc/httpd/alias/
/etc/dirsrv/slapd-IPA-EXAMPLE-COM
Please let us know if any more details required
Sai
________________________________
DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto.
Thank you - OnMobile Global Limited.
1 week, 2 days
Cannot Login with IPA user account
by Damola Azeez
After setting up my IPA environment, I am unable to log in successfully on some of my Linux servers. When I check /var/log/secure for authentication logs, I see the errors below
Dec 30 12:18:31 e-recondbtest su: pam_sss(su-l:auth): authentication failure; logname=dazeez uid=1001 euid=0 tty=pts/1 ruser=dazeez rhost= user=daazeez
Dec 30 12:18:31 e-recondbtest su: pam_sss(su-l:auth): received for user daazeez: 6 (Permission denied)
Dec 30 12:18:46 e-recondbtest su: pam_sss(su-l:auth): authentication failure; logname=dazeez uid=1001 euid=0 tty=pts/1 ruser=dazeez rhost= user=daazeez
Dec 30 12:18:46 e-recondbtest su: pam_sss(su-l:auth): received for user daazeez: 6 (Permission denied)
From the root user, I can switch to the user (daazeez) but when I try sudo, inputting password return authentication failed
Host: oracle linux 7.4
IPA server: IPA, version: 4.9.8
2 weeks, 1 day
Grant sudo to users only on their own workstations
by Ranbir
We have many users that run GNU/Linux workstations. At the moment
everyone is using local accounts. We want to convert them to IPA
clients and still allow them sudo privileges on their own workstations.
It's easy to grant them access to their workstations by making them all
a member of a "workstation" AD group and letting them login with ssh,
GNOME, etc. What's less obvious is how to centrally give them sudo
access only on their own workstations.
I could create an HBAC rule per person to give them sudo privileges to
their own workstation, but then I'll have to make hundreds of rules.
The only solution appears to be to keep the access (i.e. ssh, desktop
environment) centrally controlled in IPA, but make the custom sudo
access locally controlled. Is this the only way to do what I want?
Thanks in advance.
--
Ranbir
2 weeks, 6 days
ipa: ERROR: Failed to authenticate to CA REST API
by junhou he
ipactl status shows that the services are running normally
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
but ipa cert-show prompts an error:
ipa: ERROR: Failed to authenticate to CA REST API
I can't find the relevant error in the ipa log file, does anyone know how to debug this problem?
3 weeks, 1 day
Install client fails in Ubuntu 22.04
by Gustavo Berman
Hello there!
Ubuntu 18.04 (and previous ones) works just fine
In Ubuntu 22.04 I'm trying to execute ipa-client install but it fails with:
root@fisica75:~# ipa-client-install
This program will set up IPA client.
Version 4.9.8
WARNING: conflicting time&date synchronization service 'ntp' will be
disabled in favor of chronyd
Discovery was successful!
Do you want to configure chrony with NTP server or pool address? [no]:
Client hostname: fisica75.fisica.cabib
Realm: FISICA.CABIB
DNS Domain: fisica.cabib
IPA Server: ipaserver.fisica.cabib
BaseDN: dc=fisica,dc=cabib
Continue to configure the system with these values? [no]: yes
Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was
provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
User authorized to enroll computers: tavo
Password for tavo(a)FISICA.CABIB:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=FISICA.CABIB
Issuer: CN=Certificate Authority,O=FISICA.CABIB
Valid From: 2014-01-14 12:56:57
Valid Until: 2034-01-14 12:56:57
Enrolled in IPA realm FISICA.CABIB
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm FISICA.CABIB
cannot connect to 'https://ipaserver.fisica.cabib/ipa/json': [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch,
certificate is not valid for 'ipaserver.fisica.cabib'. (_ssl.c:997)
The ipa-client-install command failed. See /var/log/ipaclient-install.log
for more information
root@fisica75:~#
There is no Hostname mismatch for the server certificate. It has been
working just fine for years with multiple distros as clients. I can access
the website with the same URL and cert is just fine.
Any ideas?
Thanks!
--
Gustavo Berman
4 weeks
Cannot authenticate using enterprise principal
by Oleg Baranov
Hi Community,
Cannot authenticate using user's secondary email as an alternative name
(need to setup an email server with several virtual domains).
According to https://bugzilla.redhat.com/show_bug.cgi?id=1328552 this is
expected to work but seems I'm missing something.
Created a fresh VM just to deal with the issue:
[root@mgsauth02 ol]# cat /etc/fedora-release
Fedora release 37 (Thirty Seven)
[root@mgsauth02 ol]# ipa --version
VERSION: 4.10.1, API_VERSION: 2.251
all packages updated.
Repeating commands from the testscript
https://bugzilla.redhat.com/show_bug.cgi?id=1328552#c13
[root@mgsauth02 ol]# ipa user-add tuser --first test --last user --password
Password:
Enter Password again to verify:
------------------
Added user "tuser"
------------------
User login: tuser
First name: test
Last name: user
Full name: test user
Display name: test user
Initials: tu
Home directory: /home/tuser
GECOS: test user
Login shell: /bin/sh
Principal name: tuser(a)TESTRELM.CO
Principal alias: tuser(a)TESTRELM.CO
User password expiration: 20221224134753Z
Email address: tuser(a)testrelm.co
UID: 1563000004
GID: 1563000004
Password: True
Member of groups: ipausers
Kerberos keys available: True
[root@mgsauth02 ol]# kinit admin
Password for admin(a)TESTRELM.CO:
[root@mgsauth02 ol]# ipa user-add-principal tuser talias talias\\(a)ent.test
---------------------------------
Added new aliases to user "tuser"
---------------------------------
User login: tuser
Principal alias: tuser(a)TESTRELM.CO, talias\@ent.test(a)TESTRELM.CO,
talias(a)TESTRELM.CO
[root@mgsauth02 ol]# kinit talias
Password for talias(a)TESTRELM.CO:
Password expired. You must change it now.
Enter new password:
Enter it again:
[root@mgsauth02 ol]# klist
Ticket cache: KCM:0:60382
Default principal: tuser(a)TESTRELM.CO
Valid starting Expires Service principal
12/24/2022 13:51:02 12/25/2022 13:10:41 krbtgt/TESTRELM.CO(a)TESTRELM.CO
[root@mgsauth02 ol]# kinit -C talias
Password for talias(a)TESTRELM.CO:
[root@mgsauth02 ol]# klist
Ticket cache: KCM:0:52413
Default principal: tuser(a)TESTRELM.CO
Valid starting Expires Service principal
12/24/2022 13:52:32 12/25/2022 13:18:25 krbtgt/TESTRELM.CO(a)TESTRELM.CO
=== So far OK. But when trying alias in email-form:
[root@mgsauth02 ol]# kinit talias\\(a)ent.test
kinit: Client 'talias\@ent.test(a)TESTRELM.CO' not found in Kerberos
database while getting initial credentials
[root@mgsauth02 ol]# kinit -E talias\\(a)ent.test
kinit: Client 'talias\@ent.test(a)TESTRELM.CO' not found in Kerberos
database while getting initial credentials
And the following appears in /var/log/krb5kdc.log:
Dec 24 13:54:32 mgsauth02.infra.smartshell.gg krb5kdc[1119](info):
AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18),
aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26),
aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17),
camellia128-cts-cmac(25)}) 10.255.0.252: CLIENT_NOT_FOUND:
talias\@ent.test(a)TESTRELM.CO for krbtgt/TESTRELM.CO(a)TESTRELM.CO, Client
not found in Kerberos database
Dec 24 13:54:32 mgsauth02.infra.smartshell.gg krb5kdc[1119](info):
closing down fd 11
Tried adding "|krb5_use_enterprise_principal = True|" to sssd.conf as
mentioned in
https://www.freeipa.org/page/V4/Support_of_UPN_for_trusted_domains but
without any change .
Any advice, please?
1 month
ipa upgrade failed
by Martin (Lists)
Hallo all
I have a strange issue with one of my ipa servers. after an upgrade from
fedora 35 to fedora 37 the ipa-server-upgrade failed on the pki-tomcat
part. The ipaupgrade.log says:
2022-12-21T15:27:52Z INFO Migrating profile 'caECFullCMCSharedTokenCert'
2022-12-21T15:27:52Z DEBUG request GET
https://ipa1.server.org:8443/ca/rest/account/login
2022-12-21T15:27:52Z DEBUG request body ''
2022-12-21T15:27:52Z DEBUG response status 404
2022-12-21T15:27:52Z DEBUG response headers Content-Type:
text/html;charset=utf-8
Content-Language: de
Content-Length: 795
Date: Wed, 21 Dec 2022 15:27:52 GMT
2022-12-21T15:27:52Z DEBUG response body (decoded): b'<!doctype
html><html lang="de"><head><title>HTTP Status 404 \xe2\x80\x93 nicht
gefunden</title><style
type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3,
b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2
{font-size:16px;
} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line
{height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP
Status 40
4 \xe2\x80\x93 nicht gefunden</h1><hr class="line" /><p><b>Type</b>
Status Report</p><p><b>Message</b> The requested resource
[/ca/rest/account
/login] is not available</p><p><b>Beschreibung</b> The origin server
did not find a current representation for the target resource or is not
willing to
disclose that one exists.</p><hr class="line" /><h3>Apache
Tomcat/9.0.68</h3></body></html>'
2022-12-21T15:27:52Z ERROR IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2022-12-21T15:27:52Z DEBUG File
"/usr/lib/python3.11/site-packages/ipapython/admintool.py", line 180, in
execute
return_value = self.run()
^^^^^^^^^^
File
"/usr/lib/python3.11/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 54, in run server.upgrade()
File
"/usr/lib/python3.11/site-packages/ipaserver/install/server/upgrade.py",
line 2061, in upgrade upgrade_configuration()
File
"/usr/lib/python3.11/site-packages/ipaserver/install/server/upgrade.py",
line 1914, in upgrade_configuration ca_enable_ldap_profile_subsystem(ca)
File
"/usr/lib/python3.11/site-packages/ipaserver/install/server/upgrade.py",
line 458, in ca_enable_ldap_profile_subsystem
cainstance.migrate_profiles_to_ldap()
File
"/usr/lib/python3.11/site-packages/ipaserver/install/cainstance.py",
line 2155, in migrate_profiles_to_ldap
_create_dogtag_profile(profile_id, profile_data, overwrite=False)
File
"/usr/lib/python3.11/site-packages/ipaserver/install/cainstance.py",
line 2209, in _create_dogtag_profile with api.Backend.ra_certprofile
as profile_api:
File "/usr/lib/python3.11/site-packages/ipaserver/plugins/dogtag.py",
line 1211, in __enter__ raise
errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA REST
API'))
2022-12-21T15:27:52Z DEBUG The ipa-server-upgrade command failed,
exception: RemoteRetrieveError: Failed to authenticate to CA REST API
The catalina logfile says:
21-Dec-2022 16:27:26.946 SCHWERWIEGEND [main]
org.apache.catalina.core.StandardContext.startInternal One or more
listeners failed to start. Full details will be found in the appropriate
container log file
21-Dec-2022 16:27:26.948 SCHWERWIEGEND [main]
org.apache.catalina.core.StandardContext.startInternal Context [/ca]
startup failed due to previous errors
the CA debug log file says:
2022-12-21 16:27:26 [main] FINE: LdapBoundConnection: Connecting to
ipa1.server.org:636 with client cert auth
2022-12-21 16:27:26 [main] FINE:
ldapconn/PKISocketFactory.makeSSLSocket: begins
2022-12-21 16:27:26 [main] FINE: SignedAuditLogger: event
CLIENT_ACCESS_SESSION_ESTABLISH
2022-12-21 16:27:26 [main] SEVERE: Unable to create socket:
java.net.ConnectException: Verbindungsaufbau abgelehnt
with many java traceback errors following. directory server is running
at this time and there is no connection reported at the given time.
ipa-healthceck does not give anny errors or warnings. Re-starting the
pki-tomcat server manually afterwards ist working fine and does not give
any errors. starting ipa in force mode gives no errors as well. What can
I do?
Regards
Martin
1 month
Re: LDAP error after re-initializing replica server
by Hirata, Tyler
I was able to get it working by doing the following.
I tore down the primary server and stood it up again with ipa-server installed and then I restored it from a backup taken today. On the replica server I created another user account because if my understanding of how the re-initialize command works is correct, that user account shouldn’t be on the replica anymore once it re-initializes with the master since it was created after the backup was taken.
After I got the primary restored, I ran the re-initialize command on the replica and it worked!
Because I was curious, I performed the same steps I mentioned above, but this time I used an older backup and I started running into the LDAP issues again.
My question is, do the backups get a little wonky the older they are?
Tyler
From: Hirata, Tyler via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
Date: Wednesday, December 21, 2022 at 8:18 AM
To: Rob Crittenden <rcritten(a)redhat.com>, FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Hirata, Tyler <thirata(a)caltech.edu>
Subject: [Freeipa-users] Re: LDAP error after re-initializing replica server
Hi Rob,
I took two backups from this month. The 1st one I tried was from December 5th, and the more recent one was from the 16th. The replica did exist at the time I took the backup.
Are there implications deleting the replica VMs and starting from scratch? The only way I was able to get the restore to work was, I just restored the primary server and then I deleted the VM the replica was on and I rebuilt it and setup replication from scratch.
Tyler
From: Rob Crittenden <rcritten(a)redhat.com>
Date: Wednesday, December 21, 2022 at 5:49 AM
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Hirata, Tyler <thirata(a)caltech.edu>
Subject: Re: [Freeipa-users] LDAP error after re-initializing replica server
Hirata, Tyler via FreeIPA-users wrote:
> I’m testing out IPA and wanted to see how restoring backups work. I
> successfully restored an older backup to my master node, but when I hop
> on my replica nodes and run the re-initialization command, I get an LDAP
> error. I was wondering if anyone has experienced this?
>
> ipa-replica-manage re-initialize --from ipa1.domain.com
>
> Update in progress, 15 seconds elapsed
>
> [ldaps:// ipa1.domain.com:636] reports: Update failed! Status: [Error
> (49) - LDAP error: Invalid credentials - no response received]
>
>
>
> I’ve cleared all my Kerberos cache by running kdestroy and I restarted
> directory services and rebooted the primary and secondary servers.
How old was this restore? Did the replica exist when the backup was taken?
rob
1 month
